Hi all,
On 05/02/2019 05:37, Willy Tarreau wrote:
Hi guys,
On Mon, Feb 04, 2019 at 10:13:11PM +0100, Lukas Tribus wrote:
> Since TLS ciphers are not well understand, it is very common parameters
> from documentation are used as is. Since RC4 should not be used anymore
> I believe it is wiser to show example including stronger ciphers to
> avoid deploying unsafe configuration in the wild.
>
> "ALL" is also to avoid since it contains a lot of deprecated,
> insecure ciphers, and garbage that are not applicable in haproxy
> context.
Frankly I would rather remove those altogether and maybe link to
somewhere else, like the Mozilla TLS recommendations:
https://wiki.mozilla.org/Security/Server_Side_TLS
No one checks for documentation updates in stable releases, unless
it's for a new feature, so I'd be inclined to say backporting doc
fixes regarding security relevant stuff does not really work.
I agree, we've been caught several times shipping old warnings like
"threads are experimental" or "haproxy doesn't cache" or stuff like
this. It's terribly difficult to maintain isolated doc parts and even
harder to keep them up to date in stable versions. Thus probably we
should instead propose the link to Mozilla's Wiki above as well as
the link to their config generator which is trivial to use :
https://mozilla.github.io/server-side-tls/ssl-config-generator/
It even explains how to use HSTS by default. What do you think Bertrand
?
Yep, all of this sounds legit. Please find attache a new patch serie
attempting to address all your concerns.
Cheers,
Bertrand
--
Bertrand
From 10071238c893b49cd43cf447a885e4b6af4cd44c Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertr...@jacquin.bzh>
Date: Sun, 3 Feb 2019 18:48:49 +0000
Subject: [PATCH 2/2] DOC: ssl: Stop documenting ciphers example to use
Since TLS ciphers are not well understand, it is very common pratice to
copy and paste parameters from documentation and use them as-is. Since RC4
should not be used anymore, it is wiser to link users to up to date
documnetation from Mozilla to avoid unsafe configuration in the wild.
Clarify the location of man pages for OpenSSL when missing.
---
doc/configuration.txt | 62 +++++++++++++++++++++----------------------
1 file changed, 31 insertions(+), 31 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9d366b9c7e7a..d2a49cf11bdf 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1029,10 +1029,12 @@ ssl-default-bind-ciphers <ciphers>
the default string describing the list of cipher algorithms ("cipher suite")
that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
"bind" lines which do not explicitly define theirs. The format of the string
- is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
- a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
- TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites"
- keyword. Please check the "bind" keyword for more information.
+ is defined in "man 1 ciphers" from OpenSSL man pages. For background
+ information and recommendations see e.g.
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
+ cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
+ Please check the "bind" keyword for more information.
ssl-default-bind-ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
@@ -1040,11 +1042,9 @@ ssl-default-bind-ciphersuites <ciphersuites>
describing the list of cipher algorithms ("cipher suite") that are negotiated
during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
theirs. The format of the string is defined in
- "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can
- be for instance a string such as
- "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
- (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
- the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
+ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
+ cipher configuration for TLSv1.2 and earlier, please check the
+ "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
information.
ssl-default-bind-options [<option>]...
@@ -1061,9 +1061,13 @@ ssl-default-server-ciphers <ciphers>
sets the default string describing the list of cipher algorithms that are
negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
for all "server" lines which do not explicitly define theirs. The format of
- the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration,
- please check the "ssl-default-server-ciphersuites" keyword. Please check the
- "server" keyword for more information.
+ the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
+ information and recommendations see e.g.
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
+ For TLSv1.3 cipher configuration, please check the
+ "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
+ for more information.
ssl-default-server-ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
@@ -1071,9 +1075,10 @@ ssl-default-server-ciphersuites <ciphersuites>
string describing the list of cipher algorithms that are negotiated during
the TLSv1.3 handshake with the server, for all "server" lines which do not
explicitly define theirs. The format of the string is defined in
- "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for
- TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword.
- Please check the "server" keyword for more information.
+ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
+ cipher configuration for TLSv1.2 and earlier, please check the
+ "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
+ more information.
ssl-default-server-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets
@@ -10894,10 +10899,7 @@ ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It sets
the string describing the list of cipher algorithms ("cipher suite") that are
negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
- string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
- instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
- quotes). Depending on the compatibility and security requirements, the list
- of suitable ciphers depends on a variety of variables. For background
+ string is defined in "man 1 ciphers" from OpenSSL man pages. For background
information and recommendations see e.g.
(https://wiki.mozilla.org/Security/Server_Side_TLS) and
(https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
@@ -10908,11 +10910,8 @@ ciphersuites <ciphersuites>
OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
the list of cipher algorithms ("cipher suite") that are negotiated during the
TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
- OpenSSL man pages under the "ciphersuites" section, and can be for instance a
- string such as
- "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
- (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
- the "ciphers" keyword.
+ OpenSSL man pages under the "ciphersuites" section. For cipher configuration
+ for TLSv1.2 and earlier, please check the "ciphers" keyword.
crl-file <crlfile>
This setting is only available when support for OpenSSL was built in. It
@@ -11661,19 +11660,20 @@ ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. This
option sets the string describing the list of cipher algorithms that is
negotiated during the SSL/TLS handshake with the server. The format of the
- string is defined in "man 1 ciphers". When SSL is used to communicate with
- servers on the local network, it is common to see a weaker set of algorithms
- than what is used over the internet. Doing so reduces CPU usage on both the
- server and haproxy while still keeping it compatible with deployed software.
- Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
- is needed and just connectivity, using DES can be appropriate.
+ string is defined in "man 1 ciphers" from OpenSSL man pages. For background
+ information and recommendations see e.g.
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
+ cipher configuration, please check the "ciphersuites" keyword.
ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
describing the list of cipher algorithms that is negotiated during the TLS
1.3 handshake with the server. The format of the string is defined in
- "man 1 ciphers" under the "ciphersuites" section.
+ "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
+ For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
+ keyword.
cookie <value>
The "cookie" parameter sets the cookie value assigned to the server to
From 97212263b4b8e89f614ee13928bbd6eadf44f43d Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertr...@jacquin.bzh>
Date: Sun, 3 Feb 2019 18:35:25 +0000
Subject: [PATCH 1/2] DOC: ssl: Clarify when pre TLSv1.3 cipher can be used
This is mainly driven by the fact TLSv1.3 will have a successor at some
point.
---
doc/configuration.txt | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index fe5eb25076c7..9d366b9c7e7a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1027,7 +1027,7 @@ setenv <name> <value>
ssl-default-bind-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It sets
the default string describing the list of cipher algorithms ("cipher suite")
- that are negotiated during the SSL/TLS handshake except for TLSv1.3 for all
+ that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
"bind" lines which do not explicitly define theirs. The format of the string
is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
@@ -1059,7 +1059,7 @@ ssl-default-bind-options [<option>]...
ssl-default-server-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It
sets the default string describing the list of cipher algorithms that are
- negotiated during the SSL/TLS handshake except for TLSv1.3 with the server,
+ negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
for all "server" lines which do not explicitly define theirs. The format of
the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration,
please check the "ssl-default-server-ciphersuites" keyword. Please check the
@@ -10893,7 +10893,7 @@ ca-sign-pass <passphrase>
ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It sets
the string describing the list of cipher algorithms ("cipher suite") that are
- negotiated during the SSL/TLS handshake except for TLSv1.3. The format of the
+ negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
quotes). Depending on the compatibility and security requirements, the list
