Qualys SSL Labs and haproxy (solved)


#1

Hello,

We have two haproxy servers (redundancy) accepting HTTPS. Just tested the SSL security by using https://www.ssllabs.com/ssltest/. We get a B due to the following issues:

“This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.” More info at https://weakdh.org/

“This server accepts RC4 cipher, but only with older browsers. Grade capped to B.” More info at https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

My question is: What do we need to do to fix this issues so that we can get an A?

Please note that we have tried what the suggestions on https://weakdh.org/sysadmin.html, but this broke our haproxy’s.

haproxy -v say:
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau w@1wt.eu


#2

Well it also depends on your OpenSSL version. What does haproxy -vv say?

You can find a lot of informations here:
https://wiki.mozilla.org/Security/Server_Side_TLS

And an actual config generator here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

What does “broke our haproxy” mean?


#3

First, our ISP found some solutions to this just a few minutes ago, so now we have grade A :slight_smile:

By “broken our haproxy” -> it simply stopped working so that the site was not reachable anymore. The browser did not get any response at all.

Thanks for the links.