Skip to content

Haproxy ignoring my cipher configuration #808

Description

@maven1987

Hi I have a problem with haproxy ingress controller config with ciphers.
My configmap:
default-backend-service: haproxy-controller/default-backend-service
ssl-default-bind-ciphers: ''
ssl-default-bind-ciphersuites: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options: no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets force-tlsv13
ssl-max-ver: TLSv1.3
ssl-min-ver: TLSv1.3
ssl-redirect: 'true'
ssl-redirect-code: '301'
ssl-server-preference: 'true'

Result from SSLyzer:
sslyze --mozilla_config=modern

COMPLIANCE AGAINST TLS CONFIGURATION

Checking results against Mozilla's "modern" configuration. See https://ssl-config.mozilla.org/ for more details.

<my address>l:443: FAILED - Not compliant.
    * maximum_certificate_lifespan: Certificate life span is 364 days, should be less than 90.
    * certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
    * certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA384', 'ecdsa-with-SHA512', 'ecdsa-with-SHA256'}.
    * tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
    * ciphers: Cipher suites {'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CCM', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CCM', 'TLS_RSA_WITH_AES_256_CBC_SHA256'} are supported, but should be rejected.

I cant disable them or make tls 1.3 as default

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions