Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,361,191
Community Members
 
Community Events
168
Community Groups

How to disable cipher suites in haproxy? Want to specify a list of suites that are NOT to be used.

How to disable specific cipher suites from Haproxy?

All the documents say is to provide a list to be allowed for 'ssl-default-bind-ciphers'. I want to provide only the ones NOT to be allowed. Can I do this "ssl-default-bind-ciphers no RC4-MD5"

Reason: I don't want to restrict myself to the ones I put in the list. If the client comes in with a better, faster ciphers suite- I want the negotiations to go through.

2 answers

1 accepted

0 votes
Answer accepted
Andy Heinzer Atlassian Team Nov 08, 2018

I'm not an haproxy expert, but I found this other guide: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

It has some syntax examples you can use for haproxy.  It looks like you can disable specific ciphers by using the ! before their name.  In this guide the user explains his desire to disable DSS and RC4 ciphers.

global ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-server-options no-sslv3 ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS tune.ssl.default-dh-param 2048

I hope this helps.

Andy

1) I tried giving only ssl-default-bind-ciphers  !aNULL:!MD5:!DSS - HAProxy didn't come up.

The value for ssl-default-bind-ciphers need to start with something other than !

2) This got haproxy up and running  ssl-default-bind-ciphers ECDH+AESGCM:!aNULL:!MD5:!DSS

But only two cipher suites were supported.

Testing ECDHE-RSA-AES256-GCM-SHA384 YES
Testing ECDHE-RSA-AES128-GCM-SHA256 YES

I still don't want o provide all the ciphers to be supported. I just want to disable the ones I was flagged for as vulnerable.

These are the ones I need to disable and let everything else go through. 

Testing ECDHE-RSA-DES-CBC3-SHA YES
Testing EDH-RSA-DES-CBC3-SHA YES
Testing DES-CBC3-SHA YES
Testing IDEA-CBC-SHA YES
Testing ECDHE-RSA-RC4-SHA YES
Testing RC4-SHA YES
Testing RC4-MD5 YES
Testing RC4-MD5 YES

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events