I’m trying to configure the rancher LB with some custom settings for Ciphers. This has been thrown up by our PCI compliance scan so I’m posting it here both because I’m looking for the best way of resolving this correctly and also as I’m guessing it would be of use to quite a few people here also requiring a PCI compliant SSL configuration.
The two issues I currently have being reported by the scan are:
- SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
- SSL Medium Strength Cipher Suites Supported
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES) TLSv1 ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
This is after removing SSL-V3 and TLSv1 ciphers with the lines:
ssl-default-bind-options no-sslv3 no-tlsv10
ssl-default-server-options no-sslv3 no-tlsv10
And this has already thrown up issues with some of our users on ie8,9 & 10 who can nolonger connect to our website - but I guess this is the way of the world.
Having tried to read some of the HAProxy documentation it seems you can specify the ‘ssl-default-bind-ciphers’ option but this requires you listing all known good Ciphers? Is there a way to just exclude these insecure cyphers from the config? I’m afraid to configure this directly incase I remove perfectly good ciphers from our config that may be added in the future or that already exist and I’m unaware of.
Is there a way to get a list of currently active Ciphers and what’s the best practice here?