Mitigating the SSL Beast attack using the ALOHA Load-Balancer / HAProxy

The beast attack on SSL isn’t new, but we have not yet published an article to explain how to mitigate it with the ALOHA or HAProxy.
First of all, to mitigate this attack, you must use the Load-Balancer as the SSL endpoint, then just append the following parameter on your HAProxy SSL frontend:
  * For the ALOHA Load-Balancer:

bind 10.0.0.9:443 name https ssl crt domain ciphers RC4:HIGH:!aNULL:!MD5

  * For HAProxy OpenSource:

bind 10.0.0.9:443 name https ssl crt /path/to/domain.pem ciphers RC4:HIGH:!aNULL:!MD5

As you may have understood, the most important part is the ciphers RC4:HIGH:!aNULL:!MD5 directive which can be used to force the cipher used during the connection and to force it to be strong enough to resist to the attack.

Related Links

Links

Advertisements

About Baptiste Assmann

Aloha Product Manager HAProxy consultant
This entry was posted in Aloha, exchange 2010, Exchange 2013, HAProxy, security, ssl and tagged , , , . Bookmark the permalink.

2 Responses to Mitigating the SSL Beast attack using the ALOHA Load-Balancer / HAProxy

  1. wqw says:

    I’m using `bind x.y.z.a:443 ssl crt /patch/to/file.pem ecdhe prime256v1 ciphers AESGCM:AES:RC4:+EECDH:+EDH:+RSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EECDH+RC4` for A rating on the Qualys SSL Labs server test (including BEAST attack check).

    This produces server ciphers ordered by key exchange (ECDHE, DHE, none) and prefers GCM for TLS 1.2

    First it adds ciphers we are interested in (AESGCM:AES:RC4), then it orders these (+EECDH:+EDH:+RSA), then removes weak ones (the parts starting with !)

    Needed `ecdhe` param for 1.5dev17 to support ECDH. Needed to append output of `openssl dhparam -rand – 2048` to the pem file to enable DH key exchange.

  2. Pingback: SSL Client certificate information in HTTP headers and logs | HAProxy Technologies – Aloha Load Balancer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s