RE: Enable SSL Forward Secrecy

2017-09-01 Thread Rachel Davis
@free.fr>; haproxy+h...@formilux.org <haproxy@formilux.org> Subject: Re: Enable SSL Forward Secrecy On Fri, Sep 01, 2017 at 07:37:50PM +0200, Daniel Schneller wrote: > Hi, > > inspired by this, I added a paragraph with links to the documentation. > Small patch attached. Cool, thank

Re: Enable SSL Forward Secrecy

2017-09-01 Thread Willy Tarreau
On Fri, Sep 01, 2017 at 07:37:50PM +0200, Daniel Schneller wrote: > Hi, > > inspired by this, I added a paragraph with links to the documentation. > Small patch attached. Cool, thanks Daniel, now applied. Willy

Re: Enable SSL Forward Secrecy

2017-09-01 Thread Daniel Schneller
Hi,inspired by this, I added a paragraph with links to the documentation.Small patch attached.Cheers,Daniel 0001-DOC-Refer-to-Mozilla-TLS-info-config-generator.patch Description: Binary data -- Daniel SchnellerPrincipal Cloud Engineer CenterDevice GmbH                  | Hochstraße 11           

Re: Enable SSL Forward Secrecy

2017-09-01 Thread Willy Tarreau
On Fri, Sep 01, 2017 at 07:04:36PM +0200, Willy Tarreau wrote: > Hi Cyril, s/Cyril/Lukas, sorry guys, that's what happens when I read one e-mail and reply to another one at the same time :-) Willy

Re: Enable SSL Forward Secrecy

2017-09-01 Thread Willy Tarreau
Hi Cyril, On Wed, Aug 30, 2017 at 06:55:07PM +0200, Lukas Tribus wrote: > Hello, > > > > Hehe yikes! This was it. It's normal that someone get's lost in all > > this cipher crap and it should be written in the HaProxy manual as > > an important step on how to harden security. > > Its not a

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Lukas Tribus
Hello, > Hehe yikes! This was it. It’s normal that someone get’s lost in all > this cipher crap and it should be written in the HaProxy manual as > an important step on how to harden security. Its not a good idea to suggest specific cipher settings in the manual, as the situation may change

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Daniel Schneller
Darn! Looking at the “openssl ciphers” Julian provided earlier, my mind “autocompleted" the missing trailing “E” in ECDH (/me facepalms). Thanks, Cyril, for pointing that out! I was starting to doubt myself here :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Cyril Bonté
Hi Julian, > De: "Julian Zielke" > Hi, > > I’m struggeling with enabling SSL forward secrecy in my haproxy 1.7 > setup. > > So far the global settings look like: > > tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits > ssl-default-bind-options

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Daniel Schneller
<ge...@riseup.net <mailto:ge...@riseup.net>>; > haproxy+h...@formilux.org <mailto:haproxy+h...@formilux.org> > <haproxy@formilux.org <mailto:haproxy@formilux.org>> > Betreff: Re: Enable SSL Forward Secrecy > > Well, that’s quite extensiv

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Daniel Schneller
RSA-AES-128-CBC-SHA > SRP-AES-128-CBC-SHA > ECDH-RSA-AES128-SHA > ECDH-ECDSA-AES128-SHA > AES128-SHA > PSK-AES128-CBC-SHA > > Julian > > Von: Daniel Schneller [mailto:daniel.schnel...@centerdevice.com > <mailto:daniel.schnel...@centerdevice.com>] > Gesend

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Daniel Schneller
n is 1.7.9. > > Julian > > Von: Daniel Schneller [mailto:daniel.schnel...@centerdevice.com] > Gesendet: Mittwoch, 30. August 2017 11:58 > An: Julian Zielke <jzie...@next-level-integration.com> > Cc: Georg Faerber <ge...@riseup.net>; haproxy+h...@formilux.org &g

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Daniel Schneller
ote: > > Hi Georg, > > tried this already without effect. > > - Julian > > -Ursprüngliche Nachricht- > Von: Georg Faerber [mailto:ge...@riseup.net] > Gesendet: Mittwoch, 30. August 2017 11:51 > An: haproxy@formilux.org > Betreff: Re: Enable SSL F

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Daniel Schneller
ation.com> > Cc: haproxy+h...@formilux.org <haproxy@formilux.org> > Betreff: Re: Enable SSL Forward Secrecy > > Hi, > > You might want to include a link to your Qualys results to help others see > what exactly they say. > At a casual glance the ciphers looks ok, but

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Georg Faerber
On 17-08-30 09:33:23, Julian Zielke wrote: > Hi, > > I'm struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup. > > So far the global settings look like: > > tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits > > ssl-default-bind-options force-tlsv12 no-sslv3 >

Re: Enable SSL Forward Secrecy

2017-08-30 Thread Daniel Schneller
Hi, You might want to include a link to your Qualys results to help others see what exactly they say. At a casual glance the ciphers looks ok, but it would be easier to see the SSLlabs output. If you don’t want to share it, I suggest scrolling down and looking at the results of the per-browser