m>; mlist <ml...@apsystems.it>
Cc: HAProxy <haproxy@formilux.org>
Subject: Re: tcpdump and Haproxy SSL Offloading
Hi,
Am 05.06.2016 um 02:19 schrieb Igor Cicimov:
>
> > In haproxy.cfg I used these cipher I found recommended:
> > ciphers ECDHE-RSA-AES256-SH
Hi,
Am 05.06.2016 um 02:19 schrieb Igor Cicimov:
> In haproxy.cfg I used these cipher I found recommended:
> ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
I would not recommend this. Check [1] and [2] for some uptodate
recommendations.
Yes, removing
>
>
> but I do not understand well the mapping with those recognized by test
(FS = I think are Forward Secrecy) an these configured and how to find if
they support or not PFS. Your help will be appreciated, so I can change
haproxy configuration to quickly disable/enable cipher so I ca
;lu...@gmx.net>
Cc: mlist <ml...@apsystems.it>; haproxy@formilux.org
Subject: Re: tcpdump and Haproxy SSL Offloading
Hi Lukas,
On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus
<lu...@gmx.net<mailto:lu...@gmx.net>> wrote:
Hello,
you can dump the symmetric keys from the browser and
Hi,
Am 04.06.2016 um 02:14 schrieb Igor Cicimov:
you can dump the symmetric keys from the browser and import them
in wireshark to decrypt PFS protected TLS sessions [1]
Yes in case you want to troubleshoot something generic this is a good
approach but if you want to troubleshoot
Hi Lukas,
On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus wrote:
> Hello,
>
>
> you can dump the symmetric keys from the browser and import them in
> wireshark to decrypt PFS protected TLS sessions [1]
Yes in case you want to troubleshoot something generic this is a good
approach
Hello,
you can dump the symmetric keys from the browser and import them in
wireshark to decrypt PFS protected TLS sessions [1] or downgrade your
ciphers settings to non-PF ciphers. Properly decrypting the TLS session
is the only way to really make sure you see what happens, even if there
is
On Fri, Jun 3, 2016 at 3:14 AM, mlist wrote:
> Often I need to take tcpdump to analyze haproxy communication to clients
> and to backend servers.
>
> As we use haproxy as SSL termination point (haproxy SSL ofloading), at low
> levels (so tcpdump level)
>
> we see
8 matches
Mail list logo