As you can see from my pasted configuration, I was specifying exactly 4 ciphers. The 2 weak CBC ciphers were magically appearing in the SSL Labs report. I tried to explicitly delete them - but the delete request is ignored.
It seems that this entry, for example, must actually be a family: ECDHE-RSA-AES256-SHA384 which includes ECDHE-RSA-AES256-CBC-SHA384 Not clear why the explicit delete command doesn't delete the CBC cipher. Do you use the following specification and do you find sufficient support of existing browsers? ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA Or is this too aggressive? Norman Branitsky Senior Cloud Architect P: 416-916-1752 -----Original Message----- From: Jerome Magnin <jmag...@haproxy.com> Sent: Wednesday, April 22, 2020 11:50 AM To: Branitsky, Norman <norman.branit...@tylertech.com> Cc: haproxy@formilux.org Subject: Re: How to suppress weak ciphers Hi Norman, On Wed, Apr 22, 2020 at 03:29:28PM +0000, Branitsky, Norman wrote: > HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 SSL Labs reports the CBC > ciphers are "weak": > > [cid:image002.jpg@01D6117D.1C8AC910] > > I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to > no avail: > > > ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 > no-tls-tickets > > ssl-default-bind-ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2 > 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE- > RSA-AES128-CBC-SHA384 > > ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 > no-tls-tickets > > ssl-default-server-ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES2 > 56-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE- > RSA-AES128-CBC-SHA384 > > How do I delete the "weak" ciphers? > If you list all the ciphers you want to support, it does not make sense to negate those you don't want. just don't list them. You would use ! to exclude specific ciphers or ciphers "families", ie: ssl-default-bind-ciphers CHACHA20:AESGCM:AESCCM:!RSA you can find additional information on this in the manpage for ciphers(1). regards, Jérôme