How to disable specific cipher suites from Haproxy?
All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5"
Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the negotiations to go through.
I'm not an haproxy expert, but I found this other guide: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
It has some syntax examples you can use for haproxy. It looks like you can disable specific ciphers by using the ! before their name. In this guide the user explains his desire to disable DSS and RC4 ciphers.
global ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-server-options no-sslv3 ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS tune.ssl.default-dh-param 2048
I hope this helps.
1) I tried giving only ssl-default-bind-ciphers !aNULL:!MD5:!DSS - HAProxy didn't come up.
The value for ssl-default-bind-ciphers need to start with something other than !
2) This got haproxy up and running ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS
But only two cipher suites were supported.
Testing ECDHE-RSA-AES256-GCM-SHA384 YES
Testing ECDHE-RSA-AES128-GCM-SHA256 YES
I still don't want o provide all the ciphers to be supported. I just want to disable the ones I was flagged for as vulnerable.
These are the ones I need to disable and let everything else go through.
Testing ECDHE-RSA-DES-CBC3-SHA YES
Testing EDH-RSA-DES-CBC3-SHA YES
Testing DES-CBC3-SHA YES
Testing IDEA-CBC-SHA YES
Testing ECDHE-RSA-RC4-SHA YES
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES