Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hey! Currently, the configuration file shipped with haproxy comes with a cipher list where RC4 is allowed: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL Since RC4 is almost broken, it seems a good idea to remove it. To keep compatibility with older browsers, other ciphers need to be introduced (3DES). There are many recommended cipher strings in the wild: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ https://wiki.mozilla.org/Security/Server_Side_TLS https://github.com/cloudflare/sslconfig/blob/master/conf We picked the first one. See the attached debdiff. Would such a change be accepted for Jessie? Not uploaded yet. unblock haproxy/1.5.8-3 - -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJU8EjwAAoJEJWkL+g1NSX5CKoP/27SsCHAY66Se/Ym/3P7YzN2 bKi7GCwkeIBwB7mWNKkBtGUZccOm4PNrI0nErht/qEFDK37PF2uJEIaUphoEnr8n Th7BlAFJ7tiSaozaKAr352O3apfQ82kGDwuDs+UeUIHdUu9l6XsgN7lYtVtx6Lx9 IUhFbChblM8vjoyGKIb9636hDQVdpYDmwPgSU8sEPsS5WAWT5UdhHly/IL9gPEJg nwg4usReOGsqzDvQZPbYNTNxkNDtA7/UMGsuZNAqNfbZPK+DpkkpgA3QX2NLuL2p UNDEan0HwZmlXhVbJ3VHJUCs15mDoLIcN7GwORIWD5lYaL9dike30eltV1wb6h9a TwN+iuuDNBzakrDT/3nUeNdKg/WJSZ/uCxtxvRmR5Oi6/gsLxsMSYS4aJbd5mXGz gR+UakBkTbyq3i5xt+CGxrYcSgj6YfrxXLqVYj0/vWYBbFyRX/EL9CBlBdUaBhyt YJPCeGwnzONL6MOlT0a1yZ3taesaxQRl3jhT1NGj73db2+E81TzRKTZ5mMTmtycx 52f1NqscmckGx2dQyM8/VzBXiNv0biA0ZcT7Xu9hRi5RcW4KZYeXVCL4YhwQe5aE 9ggIkeh7P2sSxZ1ja8PR0TBobSbiVFhI48T/YqgvPDVAv46iTnqfWI93WE/tZ117 /17uSAxT3ek7nAg2qzHK =CXnd -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index 0b49137269e2..c3e53128d0fd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +haproxy (1.5.8-3) unstable; urgency=medium + + * Remove RC4 from the default cipher string shipped in configuration. + + -- Vincent Bernat <ber...@debian.org> Fri, 27 Feb 2015 11:29:23 +0100 + haproxy (1.5.8-2) unstable; urgency=medium * Cherry-pick the following patches from 1.5.9 release: diff --git a/debian/haproxy.cfg b/debian/haproxy.cfg index f84a37c9b428..86da67d552d2 100644 --- a/debian/haproxy.cfg +++ b/debian/haproxy.cfg @@ -13,9 +13,10 @@ global crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. - # For more information, see ciphers(1SSL). - ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL - ssl-default-bind-options no-sslv3 + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 defaults log global
