Hi, I'm using haproxy to terminate SSL and it works for most of my users. I have alphassl wildcard certificate. I'm using SSL to improve WebSockets and RTMP connections of port 443. I don't have sensitive data or e-commerce.
I have one user that see a warning in Chrome and can't use my website. Is it possible that this the warning is because an antivirus is not happy with the default ciphers or other ssl settings? When running a test https://sslcheck.globalsign.com/en_US I'm getting: Sessions may be vulnerable to BEAST attack Server has not enabled HTTP Strict-Transport-Security Server has SSL v3 enabled Server is using RC4-based ciphersuites which have known vulnerabilities Server configuration does not meet FIPS guidelines Server does not have OCSP stapling configured Server has not yet upgraded to a Extended Validation certificate Server does not have SPDY enabled I found one suggestion: bind 10.0.0.9:443 name https ssl crt /path/to/domain.pem ciphers RC4:HIGH:!aNULL:!MD5 http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ And another: bind 0.0.0.0:443 ssl crt /etc/cert.pem nosslv3 prefer-server-ciphers ciphers RC4-SHA:AES128-SHA:AES256-SHA Both gives me other warnings. What are the commended ciphers and settings to use when terminating SSL with haproxy? Could there be another reason Chrome complains about SSL? Thanks
