Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/haproxy: Weak ciphers #375

Closed
StrikerTwo opened this issue Nov 16, 2017 · 4 comments · Fixed by #380
Closed

net/haproxy: Weak ciphers #375

StrikerTwo opened this issue Nov 16, 2017 · 4 comments · Fixed by #380
Assignees
Labels

Comments

@StrikerTwo
Copy link

@StrikerTwo StrikerTwo commented Nov 16, 2017

ssllabs.com gives my websites (IIS sites running behind HAProxy with Let's Encrypt certs) only a "B" rating because:

This server supports weak Diffie-Hellman (DH) key exchange parameters.

This server accepts RC4 cipher, but only with older protocols. Grade capped to B.

Anything I can do about this?

I found this: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ and this: https://mozilla.github.io/server-side-tls/ssl-config-generator/ - can I do this in the OPNsense GUI? Shouldn't it be the default to disable weak ciphers nowadays?

@fraenki

This comment has been minimized.

Copy link
Member

@fraenki fraenki commented Nov 16, 2017

@StrikerTwo Thanks for the report! I'll make these parameters configurable.

fraenki added a commit to fraenki/plugins that referenced this issue Nov 17, 2017
fraenki added a commit to fraenki/plugins that referenced this issue Nov 17, 2017
fraenki added a commit to fraenki/plugins that referenced this issue Nov 18, 2017
@fraenki

This comment has been minimized.

Copy link
Member

@fraenki fraenki commented Nov 18, 2017

Can I do this in the OPNsense GUI?

Technically this was already possible in advanced mode (hidden setting), but I understand that this was not user-friendly at all. I've introduced several new settings to make it easier:

screen_frontend
(Frontend aka "Public Service" configuration)

Some settings can also be configured as global defaults:

screen_defaults

You still need to know the cipher list, but now it's a simple copy'n'paste.

Shouldn't it be the default to disable weak ciphers nowadays?

You're right and I've added new default values. However, I'm not enforcing these values as it would risk breaking existing setups. You'll have to enable the advanced SSL settings (see screenshot).

@fraenki fraenki closed this in #380 Nov 18, 2017
@fraenki

This comment has been minimized.

Copy link
Member

@fraenki fraenki commented Nov 18, 2017

This will be part of the upcoming HAProxy plugin 2.0 release. :)

@StrikerTwo

This comment has been minimized.

Copy link
Author

@StrikerTwo StrikerTwo commented Nov 19, 2017

@fraenki cool, thanks ;)
In the meantime I just pasted it into the custom options, thanks for pointing that out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.