On Thursday 06 April 2017 16:38:26 Tom Smyth wrote:
> Hello all,
>
> I was installing relayd as a loadbalancer (and ssl terminator) on
> OpenBSD6.0
> amd64 base install,
>
> I used the following configuration for my /etc/relayd.conf file
>
> http protocol https {
> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> match request header append "X-Forwarded-By" \
> value "$SERVER_ADDR:$SERVER_PORT"
> match request header append "X-Forwarded-Proto" value "https"
> match request header set "Connection" value "close"
> tls { no tlsv1.0, ciphers HIGH }
> }
>
> The Site I used to test was
> https://www.ssllabs.com/ssltest/
>
> according to qualys the result for my site was a fail (F)
> due to the following ciphers being supported by relayd / LibreTLS
The relayd cipher string is passed through to libssl, hence you'll get
whatever you specify. There are potential use cases for anonymous ciphers and
for various historical reasons OpenSSL includes (almost) everything by
default. What you want is "HIGH:!aNULL", rather than just "HIGH" which
includes aNULL (null authentication/anonymous) ciphers.
You can check what ciphers you're actually specifying via openssl(1):
$ openssl ciphers HIGH:aNULL
As an aside, if you did not specify your own ciphers and used the relayd
defaults, you would get an appropriate/correct configuration.
If you want something that is even more secure use the libtls default of
"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE", which will give you TLSv1.2 only cipher
suites with AEAD and PFS.
> TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
> TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
>
> I was wondering if these ciphers could be disabled by default
> in the upcoming release (if not already done so) I will investigate
> selecting ciphers manually to exclude those ciphers in the mean time.
>
> Thanks for your Time,
