RE: tcpdump and Haproxy SSL Offloading

2016-06-08 Thread mlist
m>; mlist <ml...@apsystems.it> Cc: HAProxy <haproxy@formilux.org> Subject: Re: tcpdump and Haproxy SSL Offloading Hi, Am 05.06.2016 um 02:19 schrieb Igor Cicimov: > > > In haproxy.cfg I used these cipher I found recommended: > > ciphers ECDHE-RSA-AES256-SH

Re: tcpdump and Haproxy SSL Offloading

2016-06-05 Thread Lukas Tribus
Hi, Am 05.06.2016 um 02:19 schrieb Igor Cicimov: > In haproxy.cfg I used these cipher I found recommended: > ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM I would not recommend this. Check [1] and [2] for some uptodate recommendations. Yes, removing

RE: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread Igor Cicimov
> > > but I do not understand well the mapping with those recognized by test (FS = I think are Forward Secrecy) an these configured and how to find if they support or not PFS. Your help will be appreciated, so I can change haproxy configuration to quickly disable/enable cipher so I ca

RE: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread mlist
;lu...@gmx.net> Cc: mlist <ml...@apsystems.it>; haproxy@formilux.org Subject: Re: tcpdump and Haproxy SSL Offloading Hi Lukas, On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus <lu...@gmx.net<mailto:lu...@gmx.net>> wrote: Hello, you can dump the symmetric keys from the browser and

Re: tcpdump and Haproxy SSL Offloading

2016-06-04 Thread Lukas Tribus
Hi, Am 04.06.2016 um 02:14 schrieb Igor Cicimov: you can dump the symmetric keys from the browser and import them in wireshark to decrypt PFS protected TLS sessions [1] Yes in case you want to troubleshoot something generic this is a good approach but if you want to troubleshoot

Re: tcpdump and Haproxy SSL Offloading

2016-06-03 Thread Igor Cicimov
Hi Lukas, On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus wrote: > Hello, > > > you can dump the symmetric keys from the browser and import them in > wireshark to decrypt PFS protected TLS sessions [1] Yes in case you want to troubleshoot something generic this is a good approach

Re: tcpdump and Haproxy SSL Offloading

2016-06-03 Thread Lukas Tribus
Hello, you can dump the symmetric keys from the browser and import them in wireshark to decrypt PFS protected TLS sessions [1] or downgrade your ciphers settings to non-PF ciphers. Properly decrypting the TLS session is the only way to really make sure you see what happens, even if there is

Re: tcpdump and Haproxy SSL Offloading

2016-06-02 Thread Igor Cicimov
On Fri, Jun 3, 2016 at 3:14 AM, mlist wrote: > Often I need to take tcpdump to analyze haproxy communication to clients > and to backend servers. > > As we use haproxy as SSL termination point (haproxy SSL ofloading), at low > levels (so tcpdump level) > > we see

tcpdump and Haproxy SSL Offloading

2016-06-02 Thread mlist
Often I need to take tcpdump to analyze haproxy communication to clients and to backend servers. As we use haproxy as SSL termination point (haproxy SSL ofloading), at low levels (so tcpdump level) we see communication with client encrypted. There are simple solution so I can do a tcpdump