RE: tcpdump and Haproxy SSL Offloading

2016-06-08 Thread mlist
m>; mlist <ml...@apsystems.it> Cc: HAProxy <haproxy@formilux.org> Subject: Re: tcpdump and Haproxy SSL Offloading Hi, Am 05.06.2016 um 02:19 schrieb Igor Cicimov: > > > In haproxy.cfg I used these cipher I found recommended: > > ciphers ECDHE-RSA-AES256-SH

Re: tcpdump and Haproxy SSL Offloading

2016-06-05 Thread Lukas Tribus
Hi, Am 05.06.2016 um 02:19 schrieb Igor Cicimov: > In haproxy.cfg I used these cipher I found recommended: > ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM I would not recommend this. Check [1] and [2] for some uptodate recommendations. Yes, removing

RE: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread Igor Cicimov
> > > but I do not understand well the mapping with those recognized by test (FS = I think are Forward Secrecy) an these configured and how to find if they support or not PFS. Your help will be appreciated, so I can change haproxy configuration to quickly disable/enable cipher so I ca

RE: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread mlist
;lu...@gmx.net> Cc: mlist <ml...@apsystems.it>; haproxy@formilux.org Subject: Re: tcpdump and Haproxy SSL Offloading Hi Lukas, On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus <lu...@gmx.net<mailto:lu...@gmx.net>> wrote: Hello, you can dump the symmetric keys from the browser and

Re: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread Lukas Tribus
Hi, Am 04.06.2016 um 02:14 schrieb Igor Cicimov: you can dump the symmetric keys from the browser and import them in wireshark to decrypt PFS protected TLS sessions [1] Yes in case you want to troubleshoot something generic this is a good approach but if you want to troubleshoot

Re: tcpdump and Haproxy SSL Offloading

2016-06-03 Thread Igor Cicimov
Hi Lukas, On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus wrote: > Hello, > > > you can dump the symmetric keys from the browser and import them in > wireshark to decrypt PFS protected TLS sessions [1] Yes in case you want to troubleshoot something generic this is a good approach

Re: tcpdump and Haproxy SSL Offloading

2016-06-03 Thread Lukas Tribus
Hello, you can dump the symmetric keys from the browser and import them in wireshark to decrypt PFS protected TLS sessions [1] or downgrade your ciphers settings to non-PF ciphers. Properly decrypting the TLS session is the only way to really make sure you see what happens, even if there is

Re: tcpdump and Haproxy SSL Offloading

2016-06-02 Thread Igor Cicimov
On Fri, Jun 3, 2016 at 3:14 AM, mlist wrote: > Often I need to take tcpdump to analyze haproxy communication to clients > and to backend servers. > > As we use haproxy as SSL termination point (haproxy SSL ofloading), at low > levels (so tcpdump level) > > we see