Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy enable TLS1.3 and keep 1.2

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • VioletDragonV
      VioletDragon
      last edited by

      Howdy folks,

      So i want to enable TLS1.3 on my Haproxy/Acme Configuration im currently using 1.2 but i want to enable 1.3 as well keep 1.2 for older devices i have been browsing around and i have come across this. Can anyone confirm if this is correct if i add this to Custom Options under Global Advanced pass thru.

      ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
          ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
          ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
          ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
      

      Thanks.

      viktor_gV 1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate @VioletDragon
        last edited by

        @violetdragon You could try "Intermediate" SSL/TLS compatibility option on the Services / HAProxy / Settings page:
        Screenshot from 2021-02-13 12-08-59.png

        VioletDragonV 1 Reply Last reply Reply Quote 0
        • VioletDragonV
          VioletDragon @viktor_g
          last edited by

          @viktor_g Hi thanks for your reply. I don't have that option on mine.

          Screenshot from 2021-02-13 10-44-30.png

          1 Reply Last reply Reply Quote 0
          • viktor_gV
            viktor_g Netgate
            last edited by

            You need the latest HAProxy-devel package

            VioletDragonV 1 Reply Last reply Reply Quote 0
            • VioletDragonV
              VioletDragon @viktor_g
              last edited by

              @viktor_g Hi, isnt the devel version a beta? That means I have to re-do my whole config?

              1 Reply Last reply Reply Quote 0
              • VioletDragonV
                VioletDragon
                last edited by

                Hi,

                Updating to pfSense 2.5.0 and adding the following has enabled TLS1.3 and 1.2,

                OpenSSL Version 1.1.1 installed.

                ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
                ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
                ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
                

                Screenshot from 2021-02-18 00-37-39.png

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.