I agree that it would be nice to avoid duplicating this in many different
bind sections. Having to repeat a fairly long and ugly line does make the
config harder to read.
bind 1.2.3.4:443 ssl crt a.b.c.cert crt /etc/haproxy/cert/ ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:RC4-SHA:RC4-MD5:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:SRP-RSA-3DES-EDE-CBC-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES128-SHA
-Bryan
On Thu, Jun 20, 2013 at 8:31 AM, Erwin Schliske erwin.schli...@sevenval.com
wrote:
Hello,
is it possible to set our preferred ciphers in defaults section?
Background is that we set as in
http://blog.exceliance.fr/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/described
alternative ciphers to be secured against BEAST.
It would be great not to set this for every listen in the config.
Thanks.
Regards,
Erwin