Tls 1.3 in haproxy

I think many fail to realize how nice a piece of technology HaProxy can be. We're talking about setting up HTTPS for your web assets out there. TLS 1.3 has been out for some time, and it is important to start using it wherever possible. The point with TLS 1.3 is that - compared to TLS 1.2, it allows a stricter set of cryptography algorithms that are considered secure. While you can - in theory - be secure with the old TLS 1.2, it is still up to you to make it so that you don't rely on older, unsecured ciphersuites.

With TLS 1.3, you should just be fine. In addition, TLS 1.3 offers Perfect Forward Secrecy. This is quite an important feature, because it means that - in case of a leak, an eventual attacker recording the traffic is less likely to be able to recover the plaintext from past sessions.

If you are using HaProxy in front on your digital assets (webserver, custom service, and whatever TCP application that you need to expose over the web) you will probably have TLS termination at the balancer level. Other configurations are of course possible, but letting HaProxy handle all the certificates' jazz is actually quite convenient. That means, at the application level, you don't need to bother about certificates, and all is handled at the level of the load balancer As it turns out, for you to enable TLS 1.3 (unless differently specified) on all of your frontends, all you need to do is put, in the global section of your haproxy.cfg:

ssl-default-bind-options ssl-min-ver TLSv1.3

Paolo Lulli 2021

Keywords: [ cryptography ] [ certificate ] [ git ]