pfSense warning message use only ssl-min-ver after upgrade

We use pfSense for our customers as a firewall and load balancer, it’s a great open source product. pfSense is a comprehensive network security solutions for all size businesses, pfSense brings together the most advanced technology available to make protecting your network while using open source software.

Ignore no-sslv3/no-tlsv1x warning

Recently one of our customers upgraded their firewall and started getting a warning message.

[WARNING] 267/093714 (39113) : Proxy 'Prod_Web_SSL': no-sslv3/no-tlsv1x are ignored for bind '10.230.104.111:443' at [/var/etc/haproxy/haproxy.cfg:92]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.

This issue occurs because when upgrading from 1.6 to 1.8 of HA Proxy the configuration has changed.

In each SSL enabled Frontend we had

Advanced ssl options filled in with ” no-sslv3 no-tlsv10 force-tlsv12″

How we resolved

We resolved the issue by first removing those entries from Advanced ssl options

And then creating a global entry to eliminate older SSL versions

How select SettingsCustom options

We added a line ssl-default-bind-options ssl-min-ver TLSv1.2

This is what our whole configuration looks like right now:

ssl-default-bind-options ssl-min-ver TLSv1.2
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Hope that help you resolve the same issue our customer had.