tls1.2: update ciphers to latest recommendations
Based upon usual recommendations from: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ Change-Id: I6e549ab3ffcacebe04e188cbf34d8707fb0fe05d
This commit is contained in:
parent
06e76706c7
commit
8dc0ff4e1f
|
@ -95,7 +95,7 @@ haproxy_ssl_cert_path: /etc/haproxy/ssl
|
|||
haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers"
|
||||
haproxy_ssl_server_options: "ssl-min-ver TLSv1.2"
|
||||
# TLS v1.2 and below
|
||||
haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}"
|
||||
haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}"
|
||||
# TLS v1.3
|
||||
haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
|
||||
|
||||
|
|
Loading…
Reference in New Issue