Your message dated Thu, 10 Nov 2016 15:19:36 +0000
with message-id <[email protected]>
and subject line Bug#840735: fixed in haproxy 1.7~dev6-1
has caused the Debian Bug report #840735,
regarding haproxy: Default SSL cipher list quotes external source, but is out
of date
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
840735: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840735
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: haproxy
Version: 1.6.9-2
Severity: normal
The default haproxy.cfg include tls cipher and protocol restrictions.
They cite an external source:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
This has now been updated, so the shipping cfg file should probably be
updated too?
That having been said, it might be better to instead (or as well) point
the reader at:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
... which gives more extensive and general configuration related to SSL
security, as well as more options and explicit client compatability.
You could also link the specific haproxy+openssl URL e.g. for sid at the
moment:
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.9&openssl=1.0.2j
... along with a recommendation to maintain security with respect to
this URL?
Thanks,
Tim.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: haproxy
Source-Version: 1.7~dev6-1
We believe that the bug you reported is fixed in the latest version of
haproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <[email protected]> (supplier of updated haproxy
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 10 Nov 2016 16:02:27 +0200
Source: haproxy
Binary: haproxy haproxy-doc vim-haproxy
Architecture: source
Version: 1.7~dev6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian HAProxy Maintainers
<[email protected]>
Changed-By: Apollon Oikonomopoulos <[email protected]>
Description:
haproxy - fast and reliable load balancing reverse proxy
haproxy-doc - fast and reliable load balancing reverse proxy (HTML documentatio
vim-haproxy - syntax highlighting for HAProxy configuration files
Closes: 828337 840735
Changes:
haproxy (1.7~dev6-1) experimental; urgency=medium
.
* New upstream development release (Closes: #828337)
* Upload to experimental
* d/watch: look for 1.7
* B-D on zlib1g-dev
* haproxy: Depend on lsb-base for the initscript
* Ship additional plain-text documentation
* haproxy-doc: ship HTML version of management.txt
* Update the default SSL cipher list and add a link to Mozilla's SSL
configuration generator (Closes: #840735)
* d/rules: use SUBVERS to pass the Debian revision to HAPROXY_VERSION
Checksums-Sha1:
82451dc980a1eddcbdae565464d21897237fc2e1 2317 haproxy_1.7~dev6-1.dsc
05e1707ab37d328658065a26f3af9f5fdb391e8b 1721271 haproxy_1.7~dev6.orig.tar.gz
8ade225e8d2fc1e399fb5ce5426cc49a3d56566c 61352 haproxy_1.7~dev6-1.debian.tar.xz
Checksums-Sha256:
fed1ef778d8250b79b60dc2218f4d3fea256026c93542670287286e431657eae 2317
haproxy_1.7~dev6-1.dsc
b6aae0fef347ab213586d08f1f2fa60a41956ea5d4c6b0181a0dd9ae605229e3 1721271
haproxy_1.7~dev6.orig.tar.gz
cecb0154a1dc919cf9344164a20b9801985a5304bfe7655d67e3734a5eb26b3c 61352
haproxy_1.7~dev6-1.debian.tar.xz
Files:
d86ea3e0c429d37755c50ee7245c7359 2317 net optional haproxy_1.7~dev6-1.dsc
e9f338c8b5731ba0827e5f280e8bafb2 1721271 net optional
haproxy_1.7~dev6.orig.tar.gz
8c39c703ff03ac87dc55f30b1b98db1c 61352 net optional
haproxy_1.7~dev6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIwBAEBCAAaBQJYJH6GExxhcG9pa29zQGRlYmlhbi5vcmcACgkQ263J6+6nxg40
6Q//UBBS7KFbnhH3Bdx058523ydh2m+xZ71vcxSbbqVK+8ShzfDZq6wU1DuxJ/an
9t7qxu+7eM9HamiO/r71kknOoyXjo/yskBCfsRnaRgG161isE3Oxo+IGSJHmoQmv
vYfRRcMM4ZC1MwX+Oic4zKpwkCt/nv5bQh9wasNhGfE1hsekc/Aa27tXlrc2zIXl
zYBQ9K19d9Ge58thgPMy0MWaeme2x2pModBz44J17zIlgzOI9VlEHPh6UPHf6R94
mtMEM3mVHDwJsnyQbgqf1AJ3BYjBdtktz6vg17PZMzV8xQwihS3JnDKjo5iPAqB6
R7gEfIi8OS4q7uKyboTdd4gokFRKe+tcJfsLaEY/Wr3hJt1ueEd1W3R7Gv79TTfK
8G6K8jqSoDHmyub02+lxsRsMTf1uasZ8NM4nZmiWwgtm0w1z8u6Wx66ChZq69Y2R
jRNThP+cBgZ4tMmlhrAsqUc0q52A5n+RP5VYvX85U1OTFJkqSBxYt4x+DT7DT8rh
PKJ8yBhWVOtZd73Cw2ZF/rs5BGqQiBpR7JwTEB4JlqU08lkK6gfs2xvCLH7StZc/
8wj3U8AyqsS9N0//EuNEuY1OJFtPPKxPyFXIYtAdoiQKes9CJ65NJ0BPyGFTDsKZ
PKi/OaE8/aAAIpuUke3G91QC7DSn5d6ChkmiWNRN8anV6UY=
=pHAE
-----END PGP SIGNATURE-----
--- End Message ---
