How to disable specific cipher suites from Haproxy?
All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5"
Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the negotiations to go through.
I'm not an haproxy expert, but I found this other guide: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
It has some syntax examples you can use for haproxy. It looks like you can disable specific ciphers by using the ! before their name. In this guide the user explains his desire to disable DSS and RC4 ciphers.
global ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-server-options no-sslv3 ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS tune.ssl.default-dh-param 2048
I hope this helps.
1) I tried giving only ssl-default-bind-ciphers !aNULL:!MD5:!DSS - HAProxy didn't come up.
The value for ssl-default-bind-ciphers need to start with something other than !
2) This got haproxy up and running ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS
But only two cipher suites were supported.
Testing ECDHE-RSA-AES256-GCM-SHA384 YES
Testing ECDHE-RSA-AES128-GCM-SHA256 YES
I still don't want o provide all the ciphers to be supported. I just want to disable the ones I was flagged for as vulnerable.
These are the ones I need to disable and let everything else go through.
Testing ECDHE-RSA-DES-CBC3-SHA YES
Testing EDH-RSA-DES-CBC3-SHA YES
Testing DES-CBC3-SHA YES
Testing IDEA-CBC-SHA YES
Testing ECDHE-RSA-RC4-SHA YES
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES
Hello folks! To the member of organizations who are still running their Atlassian applications on the server, we are on the side of the bridge, and if we need to sail the boat with confidence either...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events