How to disable specific cipher suites from Haproxy?
All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5"
Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the negotiations to go through.
Solved! Go to Solution.
1) I tried giving only ssl-default-bind-ciphers !aNULL:!MD5:!DSS - HAProxy didn't come up.
The value for ssl-default-bind-ciphers need to start with something other than !
2) This got haproxy up and running ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS
But only two cipher suites were supported.
Testing ECDHE-RSA-AES256-GCM-SHA384 YES
Testing ECDHE-RSA-AES128-GCM-SHA256 YES
I still don't want o provide all the ciphers to be supported. I just want to disable the ones I was flagged for as vulnerable.
These are the ones I need to disable and let everything else go through.
Testing ECDHE-RSA-DES-CBC3-SHA YES
Testing EDH-RSA-DES-CBC3-SHA YES
Testing DES-CBC3-SHA YES
Testing IDEA-CBC-SHA YES
Testing ECDHE-RSA-RC4-SHA YES
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES