Weak ciphers configured in haproxy reported by ssllabs

Hello,

a normal (3.0-)BBB-installation results on grade A on ssllabs with weak ciphers activated. Those weak ciphers are not used by any (popular) client and those clients are not supported:
IE 11 / Win Phone 8.1
Safari 6 / iOS 6.0.1
Safari 7 / iOS 7.1
Safari 7 / OS X 10.9
Safari 8 / iOS 8.4
Safari 8 / OS X 10.10

With
[https://ssl-config.mozilla.org/#server=haproxy&version=2.4.24&config=intermediate&openssl=3.4.2&guideline=5.7](https://ssl-config.mozilla.org/#server=haproxy&version=2.4.24&config=intermediate&openssl=3.4.2&guideline=5.7)
you get the following configuration
ssl-default-bind-curves X25519:prime256v1:secp384r1
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets

haproxy.cfg is overwritten by bbb-install in
https://github.com/bigbluebutton/bbb-install/blob/v3.0.x-release/bbb-install.sh#L744

A (git) diff to fix this issue could like this

```diff
diff --git a/bbb-install.sh b/bbb-install.sh
index a079fa9..223a3c2 100644
--- a/bbb-install.sh
+++ b/bbb-install.sh
@@ -741,9 +741,13 @@ global
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
-       ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
-       ssl-default-bind-options ssl-min-ver TLSv1.2
-       tune.ssl.default-dh-param 2048
+  ssl-default-bind-curves X25519:prime256v1:secp384r1
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.2 no-tls-tickets
+  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+  ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
 ```

We already discussed it on
[https://groups.google.com/g/bigbluebutton-dev/c/ZEBqtxi9Oxo/m/sGvL4VDnAgAJ](https://groups.google.com/g/bigbluebutton-dev/c/ZEBqtxi9Oxo/m/sGvL4VDnAgAJ)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Weak ciphers configured in haproxy reported by ssllabs #788

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Weak ciphers configured in haproxy reported by ssllabs #788

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions