HAProxy SSL cipher list

This is the haproxy cipher list Snapt is most likely going to roll out next:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA

If you are using haproxy for SSL termination it’s a good idea to manually specify a cipher list to prevent attacks like BEAST, or other protocol weaknesses.

One thought on “HAProxy SSL cipher list

  1. I’m using:

    ssl-default-bind-ciphers AES:ALL:!aNULL:!eNULL:!DES:!RC4:!DHE:!EDH:!MD5:!PSK:!aECDH:@STRENGTH

    This gives an A+ SSL Labs rating for haproxy along with IE6 support with TLS 1.0 enabled.

    Hope this helps

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s