It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to disable cipher suites in haproxy? Want to specify a list of suites that are NOT to be used.

How to disable specific cipher suites from Haproxy?

All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5"

Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the negotiations to go through.

2 answers

1 accepted

0 votes
Answer accepted
Andy Heinzer Atlassian Team Nov 08, 2018

I'm not an haproxy expert, but I found this other guide: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

It has some syntax examples you can use for haproxy.  It looks like you can disable specific ciphers by using the ! before their name.  In this guide the user explains his desire to disable DSS and RC4 ciphers.

global ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-server-options no-sslv3 ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS tune.ssl.default-dh-param 2048

I hope this helps.

Andy

1) I tried giving only ssl-default-bind-ciphers  !aNULL:!MD5:!DSS - HAProxy didn't come up.

The value for ssl-default-bind-ciphers need to start with something other than !

2) This got haproxy up and running  ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS

But only two cipher suites were supported.

Testing ECDHE-RSA-AES256-GCM-SHA384 YES
Testing ECDHE-RSA-AES128-GCM-SHA256 YES

I still don't want o provide all the ciphers to be supported. I just want to disable the ones I was flagged for as vulnerable.

These are the ones I need to disable and let everything else go through. 

Testing ECDHE-RSA-DES-CBC3-SHA YES
Testing EDH-RSA-DES-CBC3-SHA YES
Testing DES-CBC3-SHA YES
Testing IDEA-CBC-SHA YES
Testing ECDHE-RSA-RC4-SHA YES
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES

Suggest an answer

Log in or Sign up to answer
Community showcase
Asked in Data Center

AMA: How to plan ahead for Data Center - Expert advice from an Atlassian panel

This AMA is now closed Hi! I'm Jacob Shepard a Product Marketing Manager on Atlassian’s Enterprise Team. We know that moving to Data Center is no small task. To do so effectively demands extensive ...

8,739 views 47 36
View question

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you