Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to disable cipher suites in haproxy? Want to specify a list of suites that are NOT to be used.

dthadav
dthadav November 8, 2018

How to disable specific cipher suites from Haproxy?

All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5"

Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the negotiations to go through.

Answer
Watch
Like Be the first to like this
13941 views

2 answers

1 accepted

Suggest an answer

Log in or Sign up to answer
0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 8, 2018

I'm not an haproxy expert, but I found this other guide: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

It has some syntax examples you can use for haproxy.  It looks like you can disable specific ciphers by using the ! before their name.  In this guide the user explains his desire to disable DSS and RC4 ciphers.

global ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-server-options no-sslv3 ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS tune.ssl.default-dh-param 2048

I hope this helps.

Andy

Reply
0 votes
dthadav
dthadav November 8, 2018

1) I tried giving only ssl-default-bind-ciphers  !aNULL:!MD5:!DSS - HAProxy didn't come up.

The value for ssl-default-bind-ciphers need to start with something other than !

2) This got haproxy up and running  ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS

But only two cipher suites were supported.

Testing ECDHE-RSA-AES256-GCM-SHA384 YES
Testing ECDHE-RSA-AES128-GCM-SHA256 YES

I still don't want o provide all the ciphers to be supported. I just want to disable the ones I was flagged for as vulnerable.

These are the ones I need to disable and let everything else go through. 

Testing ECDHE-RSA-DES-CBC3-SHA YES
Testing EDH-RSA-DES-CBC3-SHA YES
Testing DES-CBC3-SHA YES
Testing IDEA-CBC-SHA YES
Testing ECDHE-RSA-RC4-SHA YES
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES

Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events