Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable RC4 DES/3DES in HAproxy

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 3 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • keyserK Offline
      keyser Rebel Alliance
      last edited by

      Hi

      I'm doing a bit of hardening of my HAproxy reverse proxy and have already disabled SSLv3 with the no-sslv3 statement in the advanced SSL frontend config.

      But how do I disable the RC4 and DES/3DES ciphers on the proxy? I can't find any references on how to do that in the advances SSL frontend config.

      Thanks

      Love the no fuss of using the official appliances :-)

      1 Reply Last reply Reply Quote 0
      • P Offline
        PiBa
        last edited by

        With setting the 'ciphers' you can select to only allow ciphers that dont have rc4 des/3des.

        p.s. might be useful: https://mozilla.github.io/server-side-tls/ssl-config-generator/

        1 Reply Last reply Reply Quote 0
        • K Offline
          Kerat
          last edited by

          in case anyone else has trouble there is two ways to do this.  the first is from the front end the alternative is globally. 
          1.  front end - edit - advanced settings - advanced pass thru
          2.  settings - Global Advanced pass through - custom options

          I also have a rule in my global advanced pass through settings to explicitly deny SSL 3.0 and TLS1.0.

          ssl-default-bind-options no-sslv3 no-tlsv10

          even with that I was not getting good results when I would scan my subdomains using https://www.ssllabs.com/ssltest.  it noted many deprecated ciphers were in use.  I found some posts by others who were doing something close to what i wanted to do.
          Ex: http://wolfspyre.com/?p=207

          This was close but I still found that I was having trouble with the 3DES cipher on TLS 1.1 and 1.2.

          https://www.ssllabs.com/ssltest, directed me to use the cipher list that mozilla outlined (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations).  Because all of my remote devices are newer i opted to use the Modern cipher assortment.  I added a lin underneath my default bind options eliminating support for SSL 3.0 and TLS1.0.  it is the following:

          ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

          Currently, these ciphers seem to rule out TLS 1.0 and force TLS1.2 only.  This could be a problem for older browsers and smart devices.  SSLLabs' ssltest does a pretty good job of enumerating which systems are likely to have trouble.  I have confirmed that all my devices work without issue given my configuration.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.