Bug#779333: unblock: pre-approval: haproxy/1.5.8-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hey!
Currently, the configuration file shipped with haproxy comes with a
cipher list where RC4 is allowed:
kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
Since RC4 is almost broken, it seems a good idea to remove it. To keep
compatibility with older browsers, other ciphers need to be introduced
(3DES). There are many recommended cipher strings in the wild:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://github.com/cloudflare/sslconfig/blob/master/conf
We picked the first one. See the attached debdiff.
Would such a change be accepted for Jessie? Not uploaded yet.
unblock haproxy/1.5.8-3
- -- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJU8EjwAAoJEJWkL+g1NSX5CKoP/27SsCHAY66Se/Ym/3P7YzN2
bKi7GCwkeIBwB7mWNKkBtGUZccOm4PNrI0nErht/qEFDK37PF2uJEIaUphoEnr8n
Th7BlAFJ7tiSaozaKAr352O3apfQ82kGDwuDs+UeUIHdUu9l6XsgN7lYtVtx6Lx9
IUhFbChblM8vjoyGKIb9636hDQVdpYDmwPgSU8sEPsS5WAWT5UdhHly/IL9gPEJg
nwg4usReOGsqzDvQZPbYNTNxkNDtA7/UMGsuZNAqNfbZPK+DpkkpgA3QX2NLuL2p
UNDEan0HwZmlXhVbJ3VHJUCs15mDoLIcN7GwORIWD5lYaL9dike30eltV1wb6h9a
TwN+iuuDNBzakrDT/3nUeNdKg/WJSZ/uCxtxvRmR5Oi6/gsLxsMSYS4aJbd5mXGz
gR+UakBkTbyq3i5xt+CGxrYcSgj6YfrxXLqVYj0/vWYBbFyRX/EL9CBlBdUaBhyt
YJPCeGwnzONL6MOlT0a1yZ3taesaxQRl3jhT1NGj73db2+E81TzRKTZ5mMTmtycx
52f1NqscmckGx2dQyM8/VzBXiNv0biA0ZcT7Xu9hRi5RcW4KZYeXVCL4YhwQe5aE
9ggIkeh7P2sSxZ1ja8PR0TBobSbiVFhI48T/YqgvPDVAv46iTnqfWI93WE/tZ117
/17uSAxT3ek7nAg2qzHK
=CXnd
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index 0b49137269e2..c3e53128d0fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+haproxy (1.5.8-3) unstable; urgency=medium
+
+ * Remove RC4 from the default cipher string shipped in configuration.
+
+ -- Vincent Bernat <bernat@debian.org> Fri, 27 Feb 2015 11:29:23 +0100
+
haproxy (1.5.8-2) unstable; urgency=medium
* Cherry-pick the following patches from 1.5.9 release:
diff --git a/debian/haproxy.cfg b/debian/haproxy.cfg
index f84a37c9b428..86da67d552d2 100644
--- a/debian/haproxy.cfg
+++ b/debian/haproxy.cfg
@@ -13,9 +13,10 @@ global
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
- # For more information, see ciphers(1SSL).
- ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
- ssl-default-bind-options no-sslv3
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+ ssl-default-bind-options no-sslv3
defaults
log global
Reply to: