Web Application Firewall & Reverse Proxy

 View Only

  • 1.  Changing order of cipher suites used in https reverse proxy

    Posted May 09, 2018 08:58 AM

    Is it possible to have a preferred order of cipher suites used for a reverse proxy?

    I noticed that when I run an Qualys SSL Server Test on google.com, the list of ciphers has a server preferred order, but for my sites behind a Bluecoat reverse proxy, it says server has no preference. 

    I am running 6.6.5.14. 

     

     



  • 2.  RE: Changing order of cipher suites used in https reverse proxy

    Posted May 10, 2018 01:14 AM

    Hi Farma,

     

                  As far as I can see, ProxySG follow the client order (i.e. it don't follow an order of its own). Don't see an option to enforce server order either. If you would like to have to consider this option to be added in future, please file this as a Feature Request with our Sales Engineer for your region.



  • 3.  RE: Changing order of cipher suites used in https reverse proxy

    Posted May 14, 2018 06:22 AM

    Thanks I didn't see an option either, and I wasn't sure if I was just not finding it. 

    In theory a modern browser should negotiate a secure cipher before failing to an older, less secure one. My problem is that I am seeing a message that "This server does not support Forward Secrecy with the referency browsers. Grade capped to B" from the Qualys SSL Labs test. I am not sure if this is caused by a client negotiating a less secure ciper than it could use, or some other cipher exchange issue. Anybody else run into this problem? It seems we don't have much in the forums since they were migrated over. 



  • 4.  RE: Changing order of cipher suites used in https reverse proxy
    Best Answer

    Posted May 16, 2018 06:56 AM

    I found some of the reference browsers used on the test had weaker cipher suites in a higher priority, so those were being used instead of the stronger ones with PFS.