How to disable TLS v1.0 & v1.1 in HAProxy?

Hi,

For our application, it shows TLS v1.0 & v1.1 are enabled. We need to disable it.

We checked the haproxy config file file & added this:

frontend ssl
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl_cert.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 force-tlsv12 ca-file /etc/haproxy/ssl_ca_cert.pem no-tlsv11 no-tlsv10 no-sslv3 verify optional

But still, it shows as enabled.

What are we missing here? Let us know if you need the complete config file.

Thanks.

1 Like

Hello,

Here we use

ssl-default-server-options no-sslv3 ssl-min-ver TLSv1.2

And result seems OK BUT we get a warning at startup :

no-sslv3/no-tlsv1x are ignored for server 'my_server'. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.

You can get rid of it with a line like

ssl-default-server-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2

Help it can help :slight_smile:

1 Like

This syntax does not work in version 1.5.8

Haproxy 1.5 is quite old. Not sure if still maintained.

You should consider to uprgrade.

Regarding your issue, you have to check the doc to find the appropriate config

no-tlsv11 no-tlsv10 no-sslv3

This configuration is correct, the configuration may not be properly applied (old haproxy instance running in the background with old configurations), you may hit a bug, or your measurements may not be accurate.

Provide the output of haproxy -vv and openssl outputs from the haproxy machine (not a far end device crossing firewalls and other security devices, you may have SSL intercepting devices in the path), but 127.0.0.1:443 :

openssl s_client -tls1 127.0.0.1:443
openssl s_client -tls1_1 127.0.0.1:443
openssl s_client -tls1_2 127.0.0.1:443
2 Likes

Please find the haproxy version screenshot .

1.For This we getting error after run those below commands.

openssl s_client -tls1 127.0.0.1:443
openssl s_client -tls1_1 127.0.0.1:443
openssl s_client -tls1_2 127.0.0.1:443

Command Not Found

2.But We run the command openssl for cipher we getting output below.

ravi@admins-/ % openssl s_client -connect developernexus.ob.globalbank.sbi:443 -cipher “EDH”

CONNECTED(00000005)

depth=2 C = US, O = “Entrust, Inc.”, OU = See Legal and Compliance, OU = “(c) 2009 Entrust, Inc. - for authorized use only”, CN = Entrust Root Certification Authority - G2

verify return:1

depth=1 C = US, O = “Entrust, Inc.”, OU = See Legal and Compliance, OU = “(c) 2012 Entrust, Inc. - for authorized use only”, CN = Entrust Certification Authority - L1K

verify return:1


verify return:1


Certificate chain

0 *****************

i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K

1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K

i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2


Server certificate

-----BEGIN CERTIFICATE-----

“”*************************************""

-----END CERTIFICATE-----

subject=***********************

issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K


No client certificate CA names sent

Server Temp Key: DH, 1024 bits


SSL handshake has read 4849 bytes and written 302 bytes


New, TLSv1/SSLv3, Cipher is “*******************”
Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : *****************

Session-ID: ********************

Session-ID-ctx:

Master-Key: ****************************

Start Time: 1645684131

Timeout : 7200 (sec)

Verify return code: 0 (ok)


HTTP/1.0 408 Request Time-out

Cache-Control: no-cache

You need to run those commands on the haproxy box against 127.0.0.1:443. If you are missing the local openssl tool, install it.