Joel,
Thanks for that ... your mail was most helpful I tried the suggested
setting
"HIGH:!aNULL"
It worked perfect
so the config now looks like this
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match request header append "X-Forwarded-Proto" value "https"
match request header set "Connection" value "close"
tls { no tlsv1.0, ciphers "HIGH:!aNULL" }
}
and the tests returned an A grade after that,
Thanks for the detailed follow up information also it is much appreciated,
I owe you a pint or 2 for that :)
Tom smyth
On Thu, Apr 6, 2017 at 11:45 PM, Joel Sing <[email protected]> wrote:
> On Thursday 06 April 2017 16:38:26 Tom Smyth wrote:
> > Hello all,
> >
> > I was installing relayd as a loadbalancer (and ssl terminator) on
> > OpenBSD6.0
> > amd64 base install,
> >
> > I used the following configuration for my /etc/relayd.conf file
> >
> > http protocol https {
> > match request header append "X-Forwarded-For" value
> "$REMOTE_ADDR"
> > match request header append "X-Forwarded-By" \
> > value "$SERVER_ADDR:$SERVER_PORT"
> > match request header append "X-Forwarded-Proto" value "https"
> > match request header set "Connection" value "close"
> > tls { no tlsv1.0, ciphers HIGH }
> > }
> >
> > The Site I used to test was
> > https://www.ssllabs.com/ssltest/
> >
> > according to qualys the result for my site was a fail (F)
> > due to the following ciphers being supported by relayd / LibreTLS
>
> The relayd cipher string is passed through to libssl, hence you'll get
> whatever you specify. There are potential use cases for anonymous ciphers
> and
> for various historical reasons OpenSSL includes (almost) everything by
> default. What you want is "HIGH:!aNULL", rather than just "HIGH" which
> includes aNULL (null authentication/anonymous) ciphers.
>
> You can check what ciphers you're actually specifying via openssl(1):
>
> $ openssl ciphers HIGH:aNULL
>
> As an aside, if you did not specify your own ciphers and used the relayd
> defaults, you would get an appropriate/correct configuration.
>
> If you want something that is even more secure use the libtls default of
> "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE", which will give you TLSv1.2 only
> cipher
> suites with AEAD and PFS.
>
> > TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
> > TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
> > TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
> >
> > I was wondering if these ciphers could be disabled by default
> > in the upcoming release (if not already done so) I will investigate
> > selecting ciphers manually to exclude those ciphers in the mean time.
> >
> > Thanks for your Time,
>
>
--
Kindest regards,
Tom Smyth
Mobile: +353 87 6193172
---------------------------------
PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL
This email contains information which may be confidential or privileged.
The information is intended solely for the use of the individual or entity
named above. If you are not the intended recipient, be aware that
any disclosure, copying, distribution or use of the contents of this
information is prohibited. If you have received this electronic
transmission in error, please notify me by telephone or by electronic mail
immediately. Any opinions expressed are those of the author, not the
company's .This email does not constitute either offer or acceptance of
any contractually binding agreement. Such offer or acceptance must be
communicated in
writing. You are requested to carry out your own virus check before opening
any attachment. Thomas Smyth accepts no liability for any loss or damage
which may be caused by malicious software or attachments.
