HAProxy community

Ssllab still complains about tls 1.0

Hello together,
I try to achieve a good result on ssllabs.com, but I got a complain that my website uses tls v1.0 - I thought that I disabled it by this row in haproxy.cfg:

bind abns@go_to_myfrontend accept-proxy ssl crt /etc/haproxy/certs/mycert.pem verify none ciphers EECDH+AESGCM:EDH+AESGCM force-tlsv12 no-tlsv10

But no. Curious is, that when I added the row, ssllabs stopped complains abot tls 1.1.

Do someone know what I missed?

ā€“
OpenSSL 1.0.2k-fips 26 Jan 2017
HA-Proxy version 1.5.18 2016/05/10
CentOS Linux release 7.7.1908 (Core)

Thanks a lot in advance for your time.

I can see your are using a abns socket, so Iā€™d assume you are terminating only some TLS sessions.

What is the domain that shows TLSv1.0 is enabled and where does haproxy route this? Perhaps it is not in the domain with the certificate /etc/haproxy/certs/mycert.pem, but something that you pass transparently to the backend?

Show the entire configuration.