-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
haproxy: prefer ssl-min-ver with haproxy 2.2+ #275
Conversation
x-ref: "HA-Proxy no-sslv3/no-tlsv1x are ignored" mozilla#152 "Config for old client (TLS 1.0 / 1.1) won't work, for (at least) HAProxy 2.4." mozilla#206 github: closes mozilla#152 github: closes mozilla#206
Interesting to note that when testing "Old" config (using 1024-bit generated dhparam for
|
That's the ordering issue haproxy/haproxy#2468 I've been mentioning in OpenSSL 3 compatibility PR, so here you can see it IRL. They set @SECLEVEL for protocols and ciphers to work, but way after initing the DH values. They introduced http://docs.haproxy.org/dev/configuration.html#ssl-security-level workaround for it. |
The following might be a workaround. I'll test this later today. Have to run out ATM. (Aside: this is ugly in Handlebars and why regular javascript is as-good-as or better than the templating for this type of complex logic.)
... And Mozilla security can't update the guidelines soon enough. When that (eventually) happens, the update will likely make dhParamSize 2048 and obviate the need for this kludge. |
The above (edited) patch works after some minor tweaks. I'll merge a PR shortly with the additional splat for low-security configurations using outdated Mozilla guidelines now over 4 years old. |
haproxy: prefer ssl-min-ver with haproxy 2.2+
closes: #152
closes: #206