Project

General

Profile

Actions

Feature #10779

open

HAProxy SSL/TLS Compatibility Mode

Added by Viktor Gurov about 1 year ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Category:
haproxy
Target version:
-
Start date:
07/20/2020
Due date:
% Done:

100%

Estimated time:

Actions #2

Updated by Jim Pingle about 1 year ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho 11 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #5

Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Pull Request Review
Actions #6

Updated by Renato Botelho 11 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #7

Updated by DRago_Angel [InV@DER] 5 months ago

[WARNING] 048/042825 (22803) : Proxy 'http-promex': no-sslv3/no-tlsv1x are ignored for bind '0.0.0.0:9001' at [/var/etc/haproxy/haproxy.cfg:75]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix. 

Hi, need update to use ssl-min-ver & ssl-max-ver as mentioned at https://redmine.pfsense.org/issues/10739 . There many breaking changes that need to supported in UI, looks like guys missed them this at bump time :(

Sample of correct "old" configuration:

# Frontend connections: Old
# https://ssl-config.mozilla.org/#server=haproxy&version=2.2.6&config=old&openssl=1.1.1i&guideline=5.6
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets

# Backend connections: Old
# https://ssl-config.mozilla.org/#server=haproxy&version=2.2.6&config=old&openssl=1.1.1i&guideline=5.6
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.0 no-tls-tickets

Actions #8

Updated by Viktor Gurov 2 months ago

  • Status changed from Feedback to New

DRago_Angel [InV@DER] wrote:

[...]
Hi, need update to use ssl-min-ver & ssl-max-ver as mentioned at https://redmine.pfsense.org/issues/10739 . There many breaking changes that need to supported in UI, looks like guys missed them this at bump time :(

Sample of correct "old" configuration:
[...]

fix:
https://github.com/pfsense/FreeBSD-ports/pull/1068

Actions #9

Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
Actions #10

Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions

Also available in: Atom PDF