On Wed, 25 Sept 2024 at 18:01, Olivier D <[email protected]> wrote: > > > > Le mer. 25 sept. 2024 à 17:37, Lukas Tribus <[email protected]> a écrit : >> >> > With TLS 1.2 you can see that RSA+SHA1 is available. I was unable to find >> > a way to disable it in HAProxy config. Can you point me to the right >> > direction ? >> >> sigalgs are documented and its configuration statements are: >> >> client-sigalgs <sigalgs> >> sigalgs <sigalgs> >> ssl-default-bind-client-sigalgs <sigalgs> >> ssl-default-bind-sigalgs <sigalgs> >> >> If you already tried those, please explain what exactly you tried and >> how (sigalps haproxy configuration, versions as per haproxy -vv, etc). >> > > You are right ! These directives were introduced in HAProxy 2.8 and I'm using > 2.4 right now (planning on 2.6 update in a few weeks). > Can it be done on those versions, or should I update to 2.8 first ?
You can probably workaround this with the openssl configuration file (openssl.cnf). I would suggest upgrading to 2.8, yes. Although 2.6 is still supported for some time I don't think there will be much effort in backporting features (which generally I'm not a big fan of). Lukas
