Darn! Looking at the “openssl ciphers” Julian provided earlier, my mind “autocompleted" the missing trailing “E” in ECDH (/me facepalms).
Thanks, Cyril, for pointing that out! I was starting to doubt myself here :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711 | Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael Rosbach, Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, USt-IdNr.: DE-815299431 > On 30. Aug. 2017, at 15:41, Cyril Bonté <cyril.bo...@free.fr> wrote: > >> De: "Julian Zielke" <jzie...@next-level-integration.com> >> À: "Cyril Bonté" <cyril.bo...@free.fr> >> Cc: haproxy@formilux.org >> Envoyé: Mercredi 30 Août 2017 15:11:47 >> Objet: AW: Enable SSL Forward Secrecy >> >> Hi Cyril, >> >> tired it without success. Maybe HaProxy isn't just capable of doing >> this. > > Oh well, indeed the "!kECDHE" excludes the ciphers from the list. > You should retry without it (with or without RFC names in the ciphers list) > >>> ssl-default-bind-ciphers >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: >>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:AES256+EECDH:AES256+EDH:TLSv1+HIGH >>> :!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH:!DHE > > Cyril Bonté >