The cipher suite list only shows two possible ciphers — both not suitable for
FS.
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
This is also why all the modern browsers are marked as “No FS” — they can’t use
a FS cipher.
Try this on your haproxy instance:
$ openssl ciphers
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE'
| tr ':' '\n'
(I copied the ciphers list from your earlier mail).
On my box this results in
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-SHA
PSK-AES128-CBC-SHA
Check the output on your load balancer — maybe the OpenSSL version just too old?
Regards,
Daniel
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schnel...@centerdevice.de | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431
> On 30. Aug. 2017, at 11:42, Julian Zielke
> <jzie...@next-level-integration.com> wrote:
>
> Hi,
>
> sure I can share it since the site since it’s secured already in many ways:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=portal-vonovia.next-level-apps.com&hideResults=on
>
> • Julian
>
> Von: Daniel Schneller [mailto:daniel.schnel...@centerdevice.com]
> Gesendet: Mittwoch, 30. August 2017 11:39
> An: Julian Zielke <jzie...@next-level-integration.com>
> Cc: haproxy+h...@formilux.org <haproxy@formilux.org>
> Betreff: Re: Enable SSL Forward Secrecy
>
> Hi,
>
> You might want to include a link to your Qualys results to help others see
> what exactly they say.
> At a casual glance the ciphers looks ok, but it would be easier to see the
> SSLlabs output.
> If you don’t want to share it, I suggest scrolling down and looking at the
> results of the per-browser handshakes and go through them — IIRC there is
> some “FS” vs. “No FS” marker there.
>
> Regards,
> Daniel
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH | Hochstraße 11
> | 42697 Solingen
> tel: +49 1754155711 | Deutschland
> daniel.schnel...@centerdevice.de | www.centerdevice.de
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
> On 30. Aug. 2017, at 11:33, Julian Zielke
> <jzie...@next-level-integration.com> wrote:
>
> Hi,
>
> I’m struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup.
>
> So far the global settings look like:
>
> tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits
>
> ssl-default-bind-options force-tlsv12 no-sslv3
> ssl-default-bind-ciphers
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE
> ssl-default-server-options force-tlsv12 no-sslv3
> ssl-default-server-ciphers
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE
>
> ssl-server-verify required
> tune.ssl.cachesize 100000
> tune.ssl.lifetime 600
> tune.ssl.maxrecord 1460
>
> and in my https UI I’ve set:
>
> ### ssl forward secrecy tweak
> # Distinguish between secure and insecure requests
> acl secure dst_port eq 443
>
> # Mark all cookies as secure if sent over SSL
> rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
>
> # Add the HSTS header with a 1 year max-age
> rspadd Strict-Transport-Security:\ max-age=31536000 if secure
>
> Still Qualys gives me an A- rating telling me:
> The server does not support Forward Secrecy with the reference browsers.
> Grade reduced to A-.
>
> Any clue how to fix this?
>
> • Julian
>
>
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der
> vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so
> beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung
> zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation
> per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte
> grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht
>
> Important Note: The information contained in this e-mail is confidential. It
> is intended solely for the addressee. Access to this e-mail by anyone else is
> unauthorized. If you are not the intended recipient, any form of disclosure,
> reproduction, distribution or any action taken or refrained from in reliance
> on it, is prohibited and may be unlawful. Please notify the sender
> immediately. We also would like to inform you that communication via e-mail
> over the internet is insecure because third parties may have the possibility
> to access and manipulate e-mails.
>
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der
> vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so
> beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung
> zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation
> per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte
> grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht
>
> Important Note: The information contained in this e-mail is confidential. It
> is intended solely for the addressee. Access to this e-mail by anyone else is
> unauthorized. If you are not the intended recipient, any form of disclosure,
> reproduction, distribution or any action taken or refrained from in reliance
> on it, is prohibited and may be unlawful. Please notify the sender
> immediately. We also would like to inform you that communication via e-mail
> over the internet is insecure because third parties may have the possibility
> to access and manipulate e-mails.
>
