Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to disable cipher suites in haproxy? Want to specify a list of suites that are NOT to be used.

dthadav
dthadav November 8, 2018

How to disable specific cipher suites from Haproxy?

All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5"

Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the negotiations to go through.

Answer
Watch
Like Be the first to like this
12326 views

2 answers

1 accepted

Suggest an answer

Log in or Sign up to answer
0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 8, 2018

I'm not an haproxy expert, but I found this other guide: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

It has some syntax examples you can use for haproxy.  It looks like you can disable specific ciphers by using the ! before their name.  In this guide the user explains his desire to disable DSS and RC4 ciphers.

global ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-server-options no-sslv3 ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS tune.ssl.default-dh-param 2048

I hope this helps.

Andy

Reply
0 votes
dthadav
dthadav November 8, 2018

1) I tried giving only ssl-default-bind-ciphers  !aNULL:!MD5:!DSS - HAProxy didn't come up.

The value for ssl-default-bind-ciphers need to start with something other than !

2) This got haproxy up and running  ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS

But only two cipher suites were supported.

Testing ECDHE-RSA-AES256-GCM-SHA384 YES
Testing ECDHE-RSA-AES128-GCM-SHA256 YES

I still don't want o provide all the ciphers to be supported. I just want to disable the ones I was flagged for as vulnerable.

These are the ones I need to disable and let everything else go through. 

Testing ECDHE-RSA-DES-CBC3-SHA YES
Testing EDH-RSA-DES-CBC3-SHA YES
Testing DES-CBC3-SHA YES
Testing IDEA-CBC-SHA YES
Testing ECDHE-RSA-RC4-SHA YES
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES

Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events