❦ 22 juillet 2019 15:19 -05, April King <ap...@mozilla.com>: > The existing `haproxy.cfg`, from `debian/haproxy.cfg` contains this URL: > https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy > <https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy> > > However, it should point to this URL: > https://ssl-config.mozilla.org/#server=haproxy > <https://ssl-config.mozilla.org/#server=haproxy> > > Additionally, I would taking the list of ciphers from: > ssl-default-bind-ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS > ssl-default-bind-options no-sslv3 > > And updating to the Mozilla Intermediate profile, as you can see here: > https://ssl-config.mozilla.org/#server=haproxy&server-version=1.9.8&config=intermediate > <https://ssl-config.mozilla.org/#server=haproxy&server-version=1.9.8&config=intermediate> > > I would also strongly suggest bundling the RFC 7919 2048-bit > Diffie-Hellman parameters file in the haproxy debian package as well.
I'll do that in the branch for 2.0 (which at some point will be merged
in master). Thanks for the pointers!
--
What good is an obscenity trial except to popularize literature?
-- Nero Wolfe, "The League of Frightened Men"
signature.asc
Description: PGP signature
