Qualys SSL Labs and haproxy (solved)

mr.proxy · March 14, 2017, 10:07am

Hello,

We have two haproxy servers (redundancy) accepting HTTPS. Just tested the SSL security by using https://www.ssllabs.com/ssltest/. We get a B due to the following issues:

“This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.” More info at https://weakdh.org/

“This server accepts RC4 cipher, but only with older browsers. Grade capped to B.” More info at https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

My question is: What do we need to do to fix this issues so that we can get an A?

Please note that we have tried what the suggestions on https://weakdh.org/sysadmin.html, but this broke our haproxy’s.

haproxy -v say:
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau w@1wt.eu

lukastribus · March 14, 2017, 2:05pm

Well it also depends on your OpenSSL version. What does haproxy -vv say?

You can find a lot of informations here:
https://wiki.mozilla.org/Security/Server_Side_TLS

And an actual config generator here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

What does “broke our haproxy” mean?

mr.proxy · March 14, 2017, 2:23pm

First, our ISP found some solutions to this just a few minutes ago, so now we have grade A

By “broken our haproxy” -> it simply stopped working so that the site was not reachable anymore. The browser did not get any response at all.

Thanks for the links.

Topic		Replies	Views
HAproxy TLS passthough Help!	3	399	March 22, 2022
Haproxy w/ssl 'SSL handshake failure' Help!	3	3658	February 10, 2023
Weak algorithm supported Help!	15	595	January 4, 2023
Only HTTPS 502,521 error Help!	0	784	July 3, 2018
Trying to install SSL Cert for use with HAPROXY. No luck Help!	10	9924	January 7, 2019

Qualys SSL Labs and haproxy (solved)

Related Topics