Project

General

Profile

Actions
Copy link

Feature #10779

closed

HAProxy SSL/TLS Compatibility Mode

Added by Viktor Gurov almost 4 years ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
haproxy
Target version:
-
Start date:
07/20/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

Allow to select SSL/TLS Compatibility Mode in the same manner as Squid SSL Proxy Compatibility Mode option.

Intermediate: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1d&guideline=5.4
Modern: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1d&guideline=5.4
Old: https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=old&openssl=1.1.1d&guideline=5.4

Files

Download all files
haproxy_conf_OLD.png (116 KB) haproxy_conf_OLD.png Azamat Khakimyanov, 09/23/2023 05:52 PM
haproxy_conf_INTERMEDIATE.png (116 KB) haproxy_conf_INTERMEDIATE.png Azamat Khakimyanov, 09/23/2023 05:52 PM
haproxy_conf_MODERN.png (85.5 KB) haproxy_conf_MODERN.png Azamat Khakimyanov, 09/23/2023 05:52 PM
Actions
Copy link
 #2

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #3

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions
Copy link
 #4

Updated by Viktor Gurov over 3 years ago

Actions
Copy link
 #5

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Pull Request Review
Actions
Copy link
 #6

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions
Copy link
 #7

Updated by DRago_Angel [InV@DER] about 3 years ago 

[WARNING] 048/042825 (22803) : Proxy 'http-promex': no-sslv3/no-tlsv1x are ignored for bind '0.0.0.0:9001' at [/var/etc/haproxy/haproxy.cfg:75]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.

Hi, need update to use ssl-min-ver & ssl-max-ver as mentioned at https://redmine.pfsense.org/issues/10739 . There many breaking changes that need to supported in UI, looks like guys missed them this at bump time :(

Sample of correct "old" configuration:

# Frontend connections: Old
# https://ssl-config.mozilla.org/#server=haproxy&version=2.2.6&config=old&openssl=1.1.1i&guideline=5.6
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets

# Backend connections: Old
# https://ssl-config.mozilla.org/#server=haproxy&version=2.2.6&config=old&openssl=1.1.1i&guideline=5.6
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.0 no-tls-tickets

Actions
Copy link
 #8

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Feedback to New

DRago_Angel [InV@DER] wrote:

[...]
Hi, need update to use ssl-min-ver & ssl-max-ver as mentioned at https://redmine.pfsense.org/issues/10739 . There many breaking changes that need to supported in UI, looks like guys missed them this at bump time :(

Sample of correct "old" configuration:
[...]

fix:
https://github.com/pfsense/FreeBSD-ports/pull/1068

Actions
Copy link
 #9

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #10

Updated by Renato Botelho almost 3 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions
Copy link
 #11

Updated by Renato Botelho about 2 years ago

  • Assignee deleted (Renato Botelho)
Actions
Copy link
 #12

Updated by Viktor Gurov about 2 years ago

  • Assignee set to Viktor Gurov
Actions
Copy link
 #13

Updated by Azamat Khakimyanov 7 months ago

Tested on 23.05_1

Option 'HAProxy SSL/TLS Compatibility Mode' is available now (HAproxy 0.63_1).
Choosing different modes changes available ciphers/TLS mode for HAproxy package.

HAproxy.conf files for different modes are attached below:
- 'Old' mode ('haproxy_conf_OLD.png')
- 'Intermediate' mode ('haproxy_conf_INTEMEDIATE.png')
- 'Modern' mode ('haproxy_conf_MODERN.png')

I marked this Feature Request as resolved.

Actions
Copy link

Also available in: Atom PDF