The cipher suite list only shows two possible ciphers — both not suitable for FS.
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA This is also why all the modern browsers are marked as “No FS” — they can’t use a FS cipher. Try this on your haproxy instance: $ openssl ciphers 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE' | tr ':' '\n' (I copied the ciphers list from your earlier mail). On my box this results in ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA SRP-AES-256-CBC-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-SHA PSK-AES256-CBC-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA SRP-AES-128-CBC-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-SHA PSK-AES128-CBC-SHA Check the output on your load balancer — maybe the OpenSSL version just too old? Regards, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711 | Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael Rosbach, Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, USt-IdNr.: DE-815299431 > On 30. Aug. 2017, at 11:42, Julian Zielke > <jzie...@next-level-integration.com> wrote: > > Hi, > > sure I can share it since the site since it’s secured already in many ways: > > https://www.ssllabs.com/ssltest/analyze.html?d=portal-vonovia.next-level-apps.com&hideResults=on > > • Julian > > Von: Daniel Schneller [mailto:daniel.schnel...@centerdevice.com] > Gesendet: Mittwoch, 30. August 2017 11:39 > An: Julian Zielke <jzie...@next-level-integration.com> > Cc: haproxy+h...@formilux.org <haproxy@formilux.org> > Betreff: Re: Enable SSL Forward Secrecy > > Hi, > > You might want to include a link to your Qualys results to help others see > what exactly they say. > At a casual glance the ciphers looks ok, but it would be easier to see the > SSLlabs output. > If you don’t want to share it, I suggest scrolling down and looking at the > results of the per-browser handshakes and go through them — IIRC there is > some “FS” vs. “No FS” marker there. > > Regards, > Daniel > > -- > Daniel Schneller > Principal Cloud Engineer > > CenterDevice GmbH | Hochstraße 11 > | 42697 Solingen > tel: +49 1754155711 | Deutschland > daniel.schnel...@centerdevice.de | www.centerdevice.de > > Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, > Michael Rosbach, Handelsregister-Nr.: HRB 18655, > HR-Gericht: Bonn, USt-IdNr.: DE-815299431 > > > On 30. Aug. 2017, at 11:33, Julian Zielke > <jzie...@next-level-integration.com> wrote: > > Hi, > > I’m struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup. > > So far the global settings look like: > > tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits > > ssl-default-bind-options force-tlsv12 no-sslv3 > ssl-default-bind-ciphers > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE > ssl-default-server-options force-tlsv12 no-sslv3 > ssl-default-server-ciphers > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE > > ssl-server-verify required > tune.ssl.cachesize 100000 > tune.ssl.lifetime 600 > tune.ssl.maxrecord 1460 > > and in my https UI I’ve set: > > ### ssl forward secrecy tweak > # Distinguish between secure and insecure requests > acl secure dst_port eq 443 > > # Mark all cookies as secure if sent over SSL > rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure > > # Add the HSTS header with a 1 year max-age > rspadd Strict-Transport-Security:\ max-age=31536000 if secure > > Still Qualys gives me an A- rating telling me: > The server does not support Forward Secrecy with the reference browsers. > Grade reduced to A-. > > Any clue how to fix this? > > • Julian > > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der > vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so > beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung > zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation > per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte > grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht > > Important Note: The information contained in this e-mail is confidential. It > is intended solely for the addressee. Access to this e-mail by anyone else is > unauthorized. If you are not the intended recipient, any form of disclosure, > reproduction, distribution or any action taken or refrained from in reliance > on it, is prohibited and may be unlawful. Please notify the sender > immediately. We also would like to inform you that communication via e-mail > over the internet is insecure because third parties may have the possibility > to access and manipulate e-mails. > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der > vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so > beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung > zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation > per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte > grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht > > Important Note: The information contained in this e-mail is confidential. It > is intended solely for the addressee. Access to this e-mail by anyone else is > unauthorized. If you are not the intended recipient, any form of disclosure, > reproduction, distribution or any action taken or refrained from in reliance > on it, is prohibited and may be unlawful. Please notify the sender > immediately. We also would like to inform you that communication via e-mail > over the internet is insecure because third parties may have the possibility > to access and manipulate e-mails. >