[Pkg-haproxy-maintainers] Bug#840735: haproxy: Default SSL cipher list quotes external source, but is out of date
Tim Small
tim at seoss.co.uk
Fri Oct 14 09:56:15 UTC 2016
Source: haproxy
Version: 1.6.9-2
Severity: normal
The default haproxy.cfg include tls cipher and protocol restrictions.
They cite an external source:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
This has now been updated, so the shipping cfg file should probably be
updated too?
That having been said, it might be better to instead (or as well) point
the reader at:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
... which gives more extensive and general configuration related to SSL
security, as well as more options and explicit client compatability.
You could also link the specific haproxy+openssl URL e.g. for sid at the
moment:
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.9&openssl=1.0.2j
... along with a recommendation to maintain security with respect to
this URL?
Thanks,
Tim.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Pkg-haproxy-maintainers
mailing list