Bug#840735: [Pkg-haproxy-maintainers] Bug#840735: haproxy: Default SSL cipher list quotes external source, but is out of date
❦ 14 octobre 2016 11:56 CEST, Tim Small: > The default haproxy.cfg include tls cipher and protocol restrictions. > They cite an external source: > > https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ > > This has now been updated, so the shipping cfg file should probably be > updated too? > > > That having been said, it might be better to instead (or as well) point > the reader at: > > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > > ... which gives more extensive and general configuration related to SSL > security, as well as more options and explicit client compatability. At the time the default SSL configuration was put in haproxy.cfg, the Mozilla generator already existed. Hynek's one was preferred mainly because the configuration was smaller. The minimal configuration from CloudFlare was also in the balance. > You could also link the specific haproxy+openssl URL e.g. for sid at the > moment: > > https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.9=1.0.2j > > ... along with a recommendation to maintain security with respect to > this URL? I think this is a good idea. -- Take care to branch the right way on equality. - The Elements of Programming Style (Kernighan & Plauger) signature.asc Description: PGP signature
Bug#840735: haproxy: Default SSL cipher list quotes external source, but is out of date
Source: haproxy Version: 1.6.9-2 Severity: normal The default haproxy.cfg include tls cipher and protocol restrictions. They cite an external source: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ This has now been updated, so the shipping cfg file should probably be updated too? That having been said, it might be better to instead (or as well) point the reader at: https://mozilla.github.io/server-side-tls/ssl-config-generator/ ... which gives more extensive and general configuration related to SSL security, as well as more options and explicit client compatability. You could also link the specific haproxy+openssl URL e.g. for sid at the moment: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6.9=1.0.2j ... along with a recommendation to maintain security with respect to this URL? Thanks, Tim. -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)