Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Sat, May 30, 2020 at 04:19:02PM -0400, Joseph C. Sible wrote: > On Sat, May 30, 2020 at 4:15 PM William Lallemand > wrote: > > > > On Sat, May 30, 2020 at 03:41:51PM -0400, Joseph C. Sible wrote: > > > Anyway, when max < TLSv1.2, I think we should make min default to max. > > > I think this is what you mean by "fallback on min = max", but I'm not > > > 100% sure. > > > > That's exactly what I meant! > > > > > I don't mind the warning (since servers shouldn't ever have > > > the max below TLSv1.2 today), but at the same time, I don't really see > > > much value in it either. > > > > In my opinion the warning is important because the configuration > > will behave differently depending on the HAProxy version you use. > > > > For example, in 2.1 with "ssl-max-ver TLSv1.1" alone, HAProxy will > > accept both TLSv1.0 and TLSv1.1. If we do this change in 2.2, the same > > configuration will only accept TLSv1.1. I think this kind of > > configurations is ambiguous so it's better to emit a warning if the max > > if lower thant the default min. > > Ah, the loss of TLSv1.0 with just "ssl-max-ver TLSv1.1" is a good > point. I agree that that is worth a warning. > Thanks for the valuable input, I'll make a patch. -- William Lallemand
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Sat, May 30, 2020 at 4:15 PM William Lallemand wrote: > > On Sat, May 30, 2020 at 03:41:51PM -0400, Joseph C. Sible wrote: > > Anyway, when max < TLSv1.2, I think we should make min default to max. > > I think this is what you mean by "fallback on min = max", but I'm not > > 100% sure. > > That's exactly what I meant! > > > I don't mind the warning (since servers shouldn't ever have > > the max below TLSv1.2 today), but at the same time, I don't really see > > much value in it either. > > In my opinion the warning is important because the configuration > will behave differently depending on the HAProxy version you use. > > For example, in 2.1 with "ssl-max-ver TLSv1.1" alone, HAProxy will > accept both TLSv1.0 and TLSv1.1. If we do this change in 2.2, the same > configuration will only accept TLSv1.1. I think this kind of > configurations is ambiguous so it's better to emit a warning if the max > if lower thant the default min. Ah, the loss of TLSv1.0 with just "ssl-max-ver TLSv1.1" is a good point. I agree that that is worth a warning. Joseph C. Sible
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Sat, May 30, 2020 at 03:41:51PM -0400, Joseph C. Sible wrote: > Anyway, when max < TLSv1.2, I think we should make min default to max. > I think this is what you mean by "fallback on min = max", but I'm not > 100% sure. That's exactly what I meant! > I don't mind the warning (since servers shouldn't ever have > the max below TLSv1.2 today), but at the same time, I don't really see > much value in it either. In my opinion the warning is important because the configuration will behave differently depending on the HAProxy version you use. For example, in 2.1 with "ssl-max-ver TLSv1.1" alone, HAProxy will accept both TLSv1.0 and TLSv1.1. If we do this change in 2.2, the same configuration will only accept TLSv1.1. I think this kind of configurations is ambiguous so it's better to emit a warning if the max if lower thant the default min. -- William Lallemand
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Sat, May 30, 2020 at 3:22 PM William Lallemand wrote: > > On Sat, May 30, 2020 at 08:41:04PM +0200, William Lallemand wrote: > > On Sat, May 30, 2020 at 02:04:56PM -0400, Joseph C. Sible wrote: > > > > > > I'm happy about this change, but I notice a flaw in its > > > implementation: it looks like servers that specify "ssl-max-ver > > > TLSv1.0" or "ssl-max-ver TLSv1.1" without specifying ssl-min-ver would > > > previously have disallowed SSLv3, but will now allow it. (I hope this > > > case doesn't actually exist anywhere in practice, but if it does for > > > some reason, we probably don't want to make them even less secure.) > > > > > > Joseph C. Sible > > > > Hello Joseph, > > > > No change were made for server lines, we were only talking about bind > > lines here. There was never a default minimum on server lines. > > > > On bind lines, indeed, if you set a maximum which is lower than the > > default min, the default min won't be used. This was already the case > > previously in fact, but the default was TLSv1.0 so it was less a > > problem. > > > > What I suggest is to display a warning if it happens, so people don't have > > any surprise. > > > > What do you think? > > Actually I think in this case it's safer to fallback on min = max and to > display the warning. Ah, I was being a bit imprecise. I was using "servers" in the sense of "HAProxy load balancer servers" in general, not "server lines". Anyway, when max < TLSv1.2, I think we should make min default to max. I think this is what you mean by "fallback on min = max", but I'm not 100% sure. I don't mind the warning (since servers shouldn't ever have the max below TLSv1.2 today), but at the same time, I don't really see much value in it either. Joseph C. Sible
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Sat, May 30, 2020 at 08:41:04PM +0200, William Lallemand wrote: > On Sat, May 30, 2020 at 02:04:56PM -0400, Joseph C. Sible wrote: > > > Thanks for the feedbacks, I made the change and pushed it in the master. > > > > > > > I'm happy about this change, but I notice a flaw in its > > implementation: it looks like servers that specify "ssl-max-ver > > TLSv1.0" or "ssl-max-ver TLSv1.1" without specifying ssl-min-ver would > > previously have disallowed SSLv3, but will now allow it. (I hope this > > case doesn't actually exist anywhere in practice, but if it does for > > some reason, we probably don't want to make them even less secure.) > > > > Joseph C. Sible > > Hello Joseph, > > No change were made for server lines, we were only talking about bind > lines here. There was never a default minimum on server lines. > > On bind lines, indeed, if you set a maximum which is lower than the > default min, the default min won't be used. This was already the case > previously in fact, but the default was TLSv1.0 so it was less a > problem. > > What I suggest is to display a warning if it happens, so people don't have > any surprise. > > What do you think? Actually I think in this case it's safer to fallback on min = max and to display the warning. -- William Lallemand
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Sat, May 30, 2020 at 02:04:56PM -0400, Joseph C. Sible wrote: > > Thanks for the feedbacks, I made the change and pushed it in the master. > > > > I'm happy about this change, but I notice a flaw in its > implementation: it looks like servers that specify "ssl-max-ver > TLSv1.0" or "ssl-max-ver TLSv1.1" without specifying ssl-min-ver would > previously have disallowed SSLv3, but will now allow it. (I hope this > case doesn't actually exist anywhere in practice, but if it does for > some reason, we probably don't want to make them even less secure.) > > Joseph C. Sible Hello Joseph, No change were made for server lines, we were only talking about bind lines here. There was never a default minimum on server lines. On bind lines, indeed, if you set a maximum which is lower than the default min, the default min won't be used. This was already the case previously in fact, but the default was TLSv1.0 so it was less a problem. What I suggest is to display a warning if it happens, so people don't have any surprise. What do you think? -- William Lallemand
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Fri, May 29, 2020 at 3:09 AM William Lallemand wrote: > > On Wed, May 27, 2020 at 12:40:54PM +0200, William Lallemand wrote: > > Hello List, > > > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > > TLSv10. I was thinking to increase this minimum default to TLSv11 before > > the 2.2 release. But when we discussed the other day about the DH > > param set to 2048 by default, I read that RHEL 8 was also disabling > > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > > nowadays. > > > > So in my opinion we should do the same, and set the minimum version to > > TLSv12 by default on bind lines. It's still configurable with > > min-ssl-ver if you want the support for prior TLS versions. > > > > Does anybody have any objections? > > > > Thanks for the feedbacks, I made the change and pushed it in the master. > > -- > William Lallemand > I'm happy about this change, but I notice a flaw in its implementation: it looks like servers that specify "ssl-max-ver TLSv1.0" or "ssl-max-ver TLSv1.1" without specifying ssl-min-ver would previously have disallowed SSLv3, but will now allow it. (I hope this case doesn't actually exist anywhere in practice, but if it does for some reason, we probably don't want to make them even less secure.) Joseph C. Sible
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Fri, May 29, 2020 at 11:35:42AM +0200, William Dauchy wrote: > On Wed, May 27, 2020 at 12:42 PM William Lallemand > wrote: > > So in my opinion we should do the same, and set the minimum version to > > TLSv12 by default on bind lines. It's still configurable with > > min-ssl-ver if you want the support for prior TLS versions. > > Does anybody have any objections? > > Even though I'm late in the reply, I think it is a good decision. > Modern browsers are going to disable it at some point; on our side we > disabled tls1.0. and 1.1 completely last year. The traffic coming from > browsers with this version was very low (around 1% IIRC, no more than > 2%), and we also realised a big part of it was in fact fraudulent > traffic coming from bots, so the final decision was not hard. > Thanks William, these are really interesting numbers. -- William Lallemand
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Wed, May 27, 2020 at 12:42 PM William Lallemand wrote: > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > Does anybody have any objections? Even though I'm late in the reply, I think it is a good decision. Modern browsers are going to disable it at some point; on our side we disabled tls1.0. and 1.1 completely last year. The traffic coming from browsers with this version was very low (around 1% IIRC, no more than 2%), and we also realised a big part of it was in fact fraudulent traffic coming from bots, so the final decision was not hard. -- William
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Fri, May 29, 2020 at 12:58:41PM +0500, Илья Шипицин wrote: > btw, what is minimal supported openssl version ? 0.9.7 ? how will that work > on it ? > I honestly didn't compile in 0.9.7 for a while, it's quite old. Even on RHEL5 there is a 0.9.8 version, and the EOL of the extended support of RHEL5 ends this year. The recommandation is to use an OpenSSL version which is supported by your maintained distribution or maintained by OpenSSL. It's not quite difficult to keep the 0.9.8 support at the moment, but once it begins to be painful, we'll probably drop it. -- William Lallemand
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
btw, what is minimal supported openssl version ? 0.9.7 ? how will that work on it ? пт, 29 мая 2020 г. в 12:11, William Lallemand : > On Wed, May 27, 2020 at 12:40:54PM +0200, William Lallemand wrote: > > Hello List, > > > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > > TLSv10. I was thinking to increase this minimum default to TLSv11 before > > the 2.2 release. But when we discussed the other day about the DH > > param set to 2048 by default, I read that RHEL 8 was also disabling > > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > > nowadays. > > > > So in my opinion we should do the same, and set the minimum version to > > TLSv12 by default on bind lines. It's still configurable with > > min-ssl-ver if you want the support for prior TLS versions. > > > > Does anybody have any objections? > > > > Thanks for the feedbacks, I made the change and pushed it in the master. > > -- > William Lallemand > >
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On Wed, May 27, 2020 at 12:40:54PM +0200, William Lallemand wrote: > Hello List, > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > TLSv10. I was thinking to increase this minimum default to TLSv11 before > the 2.2 release. But when we discussed the other day about the DH > param set to 2048 by default, I read that RHEL 8 was also disabling > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > nowadays. > > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > > Does anybody have any objections? > Thanks for the feedbacks, I made the change and pushed it in the master. -- William Lallemand
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
Hello, On Wed, 27 May 2020 at 13:33, Илья Шипицин wrote: > ср, 27 мая 2020 г. в 16:09, Tim Düsterhus : >> >> William, >> >> Am 27.05.20 um 12:40 schrieb William Lallemand: >> > Hello List, >> > >> > Since HAProxy 1.8, the minimum default TLS version for bind lines is >> > TLSv10. I was thinking to increase this minimum default to TLSv11 before >> > the 2.2 release. But when we discussed the other day about the DH >> > param set to 2048 by default, I read that RHEL 8 was also disabling >> > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread >> > nowadays. >> > >> > So in my opinion we should do the same, and set the minimum version to >> > TLSv12 by default on bind lines. It's still configurable with >> > min-ssl-ver if you want the support for prior TLS versions. >> > >> > Does anybody have any objections? >> > >> >> As a data point: >> >> The OpenSSL shipped with Debian Buster does not support anything below >> TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.04 LTS. > > > > I know several real-world cases when people had to build their own openssl on > Debian Buster in order get TLS1.0 back I'm certain that there is a ton of sites that still need TLSv1.0 going forward, however that doesn't mean we cannot change our *DEFAULTS* in a new *MAJOR* release, a default that is easily overwritten by a single configuration statement (and which is present in most configurations anyway). We are not talking about build options here. So in my opinion bumping the default minimum TLS version to 1.2 is a good thing and brings us inline with industry standard practices at this point. Therefor I don't have any objections. Lukas
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
Ilya, Am 27.05.20 um 13:33 schrieb Илья Шипицин: >> As a data point: >> >> The OpenSSL shipped with Debian Buster does not support anything below >> TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.04 LTS. >> > > > I know several real-world cases when people had to build their own openssl > on Debian Buster in order get TLS1.0 back > Sure. But admins that are capable enough to compile their own OpenSSL will be capable enough to add the following to their HAProxy configuration: ssl-default-bind-options ssl-min-ver TLSv1.0 However in the general case you won't get far as a client in today's Internet without supporting TLS 1.2. For my machines I dropped support for anything < 1.2 on port 443 more than 2 years ago. Best regards Tim Düsterhus
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
On 27 May 12:40, William Lallemand wrote: > Hello List, > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > TLSv10. I was thinking to increase this minimum default to TLSv11 before > the 2.2 release. But when we discussed the other day about the DH > param set to 2048 by default, I read that RHEL 8 was also disabling > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > nowadays. > > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > > Does anybody have any objections? That would be really good. > > -- > William Lallemand > -- (o-Julien Pivotto //\Open-Source Consultant V_/_ Inuits - https://www.inuits.eu signature.asc Description: PGP signature
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
ср, 27 мая 2020 г. в 16:09, Tim Düsterhus : > William, > > Am 27.05.20 um 12:40 schrieb William Lallemand: > > Hello List, > > > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > > TLSv10. I was thinking to increase this minimum default to TLSv11 before > > the 2.2 release. But when we discussed the other day about the DH > > param set to 2048 by default, I read that RHEL 8 was also disabling > > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > > nowadays. > > > > So in my opinion we should do the same, and set the minimum version to > > TLSv12 by default on bind lines. It's still configurable with > > min-ssl-ver if you want the support for prior TLS versions. > > > > Does anybody have any objections? > > > > As a data point: > > The OpenSSL shipped with Debian Buster does not support anything below > TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.04 LTS. > I know several real-world cases when people had to build their own openssl on Debian Buster in order get TLS1.0 back > > Best regards > Tim Düsterhus > > [1] > > https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#openssl-defaults > >
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
William, Am 27.05.20 um 12:40 schrieb William Lallemand: > Hello List, > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > TLSv10. I was thinking to increase this minimum default to TLSv11 before > the 2.2 release. But when we discussed the other day about the DH > param set to 2048 by default, I read that RHEL 8 was also disabling > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > nowadays. > > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > > Does anybody have any objections? > As a data point: The OpenSSL shipped with Debian Buster does not support anything below TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.04 LTS. Best regards Tim Düsterhus [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#openssl-defaults
Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2
as a person running pretty large load balancer installation, I confirm there are a lot of usages of TLS10. for example, depending on .net version, default setting might be TLS1.0 if you run .net 4.5 the ability to turn TLS1.0 without recompile is the must thing to have. I'm even not sure about benefits of disabling TLS1.0, yes it lack PFS support, but it is still not vulnerable to any attack and widely used (beleive me). I agree there are special cases like PCI DSS 3.2, but it is not the default :) ср, 27 мая 2020 г. в 15:43, William Lallemand : > Hello List, > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > TLSv10. I was thinking to increase this minimum default to TLSv11 before > the 2.2 release. But when we discussed the other day about the DH > param set to 2048 by default, I read that RHEL 8 was also disabling > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > nowadays. > > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > > Does anybody have any objections? > > -- > William Lallemand > >
