pfsense v 2.7.2 – HAProxy 2.9-dev6-f75a369
Settings -> SSL/TLS Compatibility Mode -> Intermediate (disables HIGH ciphers, SHA1, TLS v1.0 and TLS v1.1.)
Frontend -> Advanced ssl options
ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Frontend -> Advanced certificate specific ssl options
alpn h2,http/1.1 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Result
Protocols | |
TLS 1.3 | Yes |
TLS 1.2 | Yes |
TLS 1.1 | No |
TLS 1.0 | No |
SSL 3 | No |
SSL 2 | No |
TLS 1.3
TLS_AES_128_GCM_SHA256 (0x1301 ) ECDH x25519 (eq. 3072 bits RSA) FS | 128 |
TLS_AES_256_GCM_SHA384 (0x1302 ) ECDH x25519 (eq. 3072 bits RSA) FS | 256 |
TLS_CHACHA20_POLY1305_SHA256 (0x1303 ) ECDH x25519 (eq. 3072 bits RSA) FS | 256P |
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f ) ECDH x25519 (eq. 3072 bits RSA) FS | 128 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030 ) ECDH x25519 (eq. 3072 bits RSA) FS | 256 |