Hello all,
I was installing relayd as a loadbalancer (and ssl terminator) on
OpenBSD6.0
amd64 base install,
I used the following configuration for my /etc/relayd.conf file
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header append "X-Forwarded-Proto" value "https"
match request header set "Connection" value "close"
tls { no tlsv1.0, ciphers HIGH }
}
The Site I used to test was
https://www.ssllabs.com/ssltest/
according to qualys the result for my site was a fail (F)
due to the following ciphers being supported by relayd / LibreTLS
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
I was wondering if these ciphers could be disabled by default
in the upcoming release (if not already done so) I will investigate
selecting ciphers manually to exclude those ciphers in the mean time.
Thanks for your Time,
