m>; mlist <ml...@apsystems.it>
Cc: HAProxy <haproxy@formilux.org>
Subject: Re: tcpdump and Haproxy SSL Offloading
Hi,
Am 05.06.2016 um 02:19 schrieb Igor Cicimov:
>
> > In haproxy.cfg I used these cipher I found recommended:
> > ciphers ECDHE-RSA-AES256-SH
Hi,
Am 05.06.2016 um 02:19 schrieb Igor Cicimov:
> In haproxy.cfg I used these cipher I found recommended:
> ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
I would not recommend this. Check [1] and [2] for some uptodate
recommendations.
Yes, removing
>
>
> but I do not understand well the mapping with those recognized by test
(FS = I think are Forward Secrecy) an these configured and how to find if
they support or not PFS. Your help will be appreciated, so I can change
haproxy configuration to quickly disable/enable cipher so I ca
;lu...@gmx.net>
Cc: mlist <ml...@apsystems.it>; haproxy@formilux.org
Subject: Re: tcpdump and Haproxy SSL Offloading
Hi Lukas,
On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus
<lu...@gmx.net<mailto:lu...@gmx.net>> wrote:
Hello,
you can dump the symmetric keys from the browser and
Hi,
Am 04.06.2016 um 02:14 schrieb Igor Cicimov:
you can dump the symmetric keys from the browser and import them
in wireshark to decrypt PFS protected TLS sessions [1]
Yes in case you want to troubleshoot something generic this is a good
approach but if you want to troubleshoot
Hi Lukas,
On Sat, Jun 4, 2016 at 3:03 AM, Lukas Tribus wrote:
> Hello,
>
>
> you can dump the symmetric keys from the browser and import them in
> wireshark to decrypt PFS protected TLS sessions [1]
Yes in case you want to troubleshoot something generic this is a good
approach
Hello,
you can dump the symmetric keys from the browser and import them in
wireshark to decrypt PFS protected TLS sessions [1] or downgrade your
ciphers settings to non-PF ciphers. Properly decrypting the TLS session
is the only way to really make sure you see what happens, even if there
is
On Fri, Jun 3, 2016 at 3:14 AM, mlist wrote:
> Often I need to take tcpdump to analyze haproxy communication to clients
> and to backend servers.
>
> As we use haproxy as SSL termination point (haproxy SSL ofloading), at low
> levels (so tcpdump level)
>
> we see
Often I need to take tcpdump to analyze haproxy communication to clients and to
backend servers.
As we use haproxy as SSL termination point (haproxy SSL ofloading), at low
levels (so tcpdump level)
we see communication with client encrypted. There are simple solution so I can
do a tcpdump
9 matches
Mail list logo