consider configure haproxy to preffer hardware cryptos?

planetinse

Is is possible to get haproxy "preffer" or enforce negotiation of hardware supported cryptos only - or is it a waste of time?

I have a LOT of SNI rules / offloading of TLS traffic and these is supported by my server according to pfsense

Hardware crypto ;
AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS

or is even HAproxy using this?

johnpoz

Yes you can configure what ciphers haproxy offers if your doing ssl offload..

https://www.haproxy.com/documentation/aloha/latest/traffic-management/lb-layer7/tls/

There is for sure reasons to offer specific ciphers over other ciphers.. Set min tls level, etc. Not sure if hardware crypto your box supports is going to make any real difference... Unless your serving up a lot of traffic?

planetinse

@johnpoz starting to see high cpu usage so just thinking of what options do I have, seems haproxy is a single cpu/single thread thing (if you want it to work stable) so scaling with more cpu is'nt going to help me.

johnpoz

@planetinse I have mine set for security reasons.. And you can verify with say https://www.ssllabs.com/ssltest/

Keep in mind getting too restrictive on the ciphers that can be used - could cause issues with some clients..

planetinse

@johnpoz Yes i have that approach so far to to get A rating, but was considering to reduce them to the hardware supported ones only.

johnpoz

Well you could give it a shot, and see if you have any issues reported by clients..

Yeah I went through the whole security thing awhile back, there is a thread around here about it somewhere - wanted to get A+, and discovered that if you only allow for tls 1.3, that ssllabs will only give you a A vs A+ ;)

edit: here is that thread
https://forum.netgate.com/topic/162125/get-a-on-ssl-labs-test