-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 04/Sep - 01:37, Willy Tarreau <[email protected]> wrote: >| Have a lot of fun and please report your success/failures, >| Willy Thanks a lot for this useful feature. It works well on a dual PPC64 Linux server. I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option to frontend, if the 'prefer-server-ciphers' keyword is set. https://0x1.fr/files/patchs/haproxy-ss-20120904_prefer_server_ciphers.patch Example : bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers This option mitigate the effect of the BEAST Attack (as I understand), and it equivalent to : - Apache HTTPd SSLHonorCipherOrder option. - Nginx ssl_prefer_server_ciphers option. Maybe it can be useful to add OpenSSL option directly in the haproxy configuration as the 'options' keyword in stunnel. Best regards. - -- ________________________________________________________________________________ David BERARD contact(at)davidberard.fr GPG|PGP KeyId 0xC8533354 GPG|PGP Key http://davidberard.fr/C8533354.gpgkey ________________________________________________________________________________ * No electrons were harmed in the transmission of this email * -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlBF/uAACgkQOL7fhchTM1Q0PQCgqbxmjbxKokJ2dFX28dbfjml4 KOcAnja+g7reSbHJVub8P4HYrcz1Q/TG =PD86 -----END PGP SIGNATURE-----
