You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by "Chee, Anthony [COMP]" <an...@polyu.edu.hk> on 2016/07/18 07:37:39 UTC
SSL and Reverse Proxy
I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 which come from EPEL 7. CentOS 7 is updated with all patches.
I would like to set a reverse proxy which listen on 80 and 443. It accepts SSL connection host, with mapping the connection to internal host also with SSL.
The below is the portion of records.conf I modified.
CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt
CONFIG proxy.config.ssl.client.private_key.filename STRING mykey.key
#CONFIG proxy.config.ssl.allow_client_renegotiation INT 1
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.verify.server INT 0
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.server.cipher_suite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*
Below is the remap.conf I modified.
map https://publichost https://internalhost/path
I used Chrome to connect to https://publichost and give me the following
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
From my understanding, RC4 should already disabled in above cipher_suite setting. I would like to ask if there is anything I missed. I tested with non-SSL reverse proxy and seems OK.
Regards,
Anthony
[http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]
Disclaimer:
This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
RE: SSL and Reverse Proxy
Posted by "Chee, Anthony [COMP]" <an...@polyu.edu.hk>.
Oh. Thank you. You remind me to modify the ssl_multicert.config.
It seems working now.
-----Original Message-----
From: James Peach [mailto:jpeach@apache.org]
Sent: Monday, 18 July 2016 7:19 PM
To: users@trafficserver.apache.org
Subject: Re: SSL and Reverse Proxy
> On Jul 18, 2016, at 5:37 PM, Chee, Anthony [COMP] <an...@polyu.edu.hk> wrote:
>
> I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 which come from EPEL 7. CentOS 7 is updated with all patches.
>
> I would like to set a reverse proxy which listen on 80 and 443. It accepts SSL connection host, with mapping the connection to internal host also with SSL.
>
> The below is the portion of records.conf I modified.
>
> CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt CONFIG
> proxy.config.ssl.client.private_key.filename STRING mykey.key
This is specifying the certificate Traffic Server will present to “internalhost”. Did you add a ssl_multicert.config entry with the certificate and key for “publichost”?
> #CONFIG proxy.config.ssl.allow_client_renegotiation INT 1 CONFIG
> proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 0
> CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1
> INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG
> proxy.config.ssl.client.verify.server INT 0 CONFIG
> proxy.config.ssl.client.CA.cert.filename STRING NULL CONFIG
> proxy.config.ssl.server.cipher_suite
> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-S
> HA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-
> AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:
> ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:E
> CDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RS
> A-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC
> 3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:
> AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD
> 5:!PSK:!RC4 CONFIG proxy.config.diags.debug.enabled INT 1 CONFIG
> proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*
>
>
> Below is the remap.conf I modified.
>
> map https://publichost https://internalhost/path
>
> I used Chrome to connect to https://publichost and give me the
> following
>
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
>
> From my understanding, RC4 should already disabled in above cipher_suite setting. I would like to ask if there is anything I missed. I tested with non-SSL reverse proxy and seems OK.
>
> Regards,
> Anthony
>
>
> [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_S
> ignature.jpg]
>
> Disclaimer:
>
> This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
>
> The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
[http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]
Disclaimer:
This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
Re: SSL and Reverse Proxy
Posted by James Peach <jp...@apache.org>.
> On Jul 18, 2016, at 5:37 PM, Chee, Anthony [COMP] <an...@polyu.edu.hk> wrote:
>
> I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 which come from EPEL 7. CentOS 7 is updated with all patches.
>
> I would like to set a reverse proxy which listen on 80 and 443. It accepts SSL connection host, with mapping the connection to internal host also with SSL.
>
> The below is the portion of records.conf I modified.
>
> CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt
> CONFIG proxy.config.ssl.client.private_key.filename STRING mykey.key
This is specifying the certificate Traffic Server will present to “internalhost”. Did you add a ssl_multicert.config entry with the certificate and key for “publichost”?
> #CONFIG proxy.config.ssl.allow_client_renegotiation INT 1
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 0
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.verify.server INT 0
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
> CONFIG proxy.config.ssl.server.cipher_suite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
> CONFIG proxy.config.diags.debug.enabled INT 1
> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*
>
>
> Below is the remap.conf I modified.
>
> map https://publichost https://internalhost/path
>
> I used Chrome to connect to https://publichost and give me the following
>
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
>
> From my understanding, RC4 should already disabled in above cipher_suite setting. I would like to ask if there is anything I missed. I tested with non-SSL reverse proxy and seems OK.
>
> Regards,
> Anthony
>
>
> [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]
>
> Disclaimer:
>
> This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
>
> The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
Re: SSL and Reverse Proxy
Posted by Reindl Harald <h....@thelounge.net>.
Am 18.07.2016 um 11:01 schrieb Chee, Anthony [COMP]:
> The cipher-suite is from https://cipherli.st/
lol - a site which is mixing unencrpyted and encrypted content giving
TLS recommendations sounds like blind people talking about colors
(http://hosted-oswa.org/piwik/piwik.php?idsite=33)
> "Yes, give me a ciphersuite that works with legacy / old software."
i gave you one which is here in prodcution for a ton of domains and
several services!
> -----Original Message-----
> From: Reindl Harald [mailto:h.reindl@thelounge.net]
> Sent: Monday, 18 July 2016 4:52 PM
> To: users@trafficserver.apache.org
> Subject: Re: SSL and Reverse Proxy
>
>
>
> Am 18.07.2016 um 09:37 schrieb Chee, Anthony [COMP]:
>> CONFIG proxy.config.ssl.server.cipher_suite
>> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-S
>> HA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-
>> AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:
>> ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:E
>> CDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RS
>> A-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC
>> 3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:
>> AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD
>> 5:!PSK:!RC4
>
> from where do you have that ciphersuite?
>
> "DHE-RSA-AES128-GCM-SHA384" as example is nonsense because it does not exist, it's AES256/SHA384 or AES128/SHA256 and facing such mistake i don't want to look at the rest - i suggest don't touch such settings until you understand what you are doing
>
> try that one:
> CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
> ________________________
>
> "openssl ciphers -v" will give you valid ciphers
>
>
> [harry@rh:~]$ openssl ciphers -v | grep GCM | grep AES128
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
> Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> Enc=AESGCM(128) Mac=AEAD
> AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
> DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128)
> Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128)
> Mac=AEAD
>
>
> [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]
>
> Disclaimer:
>
> This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
>
> The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
RE: SSL and Reverse Proxy
Posted by "Chee, Anthony [COMP]" <an...@polyu.edu.hk>.
The cipher-suite is from https://cipherli.st/ -> "Yes, give me a ciphersuite that works with legacy / old software."
-----Original Message-----
From: Reindl Harald [mailto:h.reindl@thelounge.net]
Sent: Monday, 18 July 2016 4:52 PM
To: users@trafficserver.apache.org
Subject: Re: SSL and Reverse Proxy
Am 18.07.2016 um 09:37 schrieb Chee, Anthony [COMP]:
> CONFIG proxy.config.ssl.server.cipher_suite
> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-S
> HA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-
> AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:
> ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:E
> CDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RS
> A-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC
> 3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:
> AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD
> 5:!PSK:!RC4
from where do you have that ciphersuite?
"DHE-RSA-AES128-GCM-SHA384" as example is nonsense because it does not exist, it's AES256/SHA384 or AES128/SHA256 and facing such mistake i don't want to look at the rest - i suggest don't touch such settings until you understand what you are doing
try that one:
CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
________________________
"openssl ciphers -v" will give you valid ciphers
[harry@rh:~]$ openssl ciphers -v | grep GCM | grep AES128
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128)
Mac=AEAD
[http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]
Disclaimer:
This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
Re: SSL and Reverse Proxy
Posted by Reindl Harald <h....@thelounge.net>.
Am 18.07.2016 um 09:37 schrieb Chee, Anthony [COMP]:
> CONFIG proxy.config.ssl.server.cipher_suite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
from where do you have that ciphersuite?
"DHE-RSA-AES128-GCM-SHA384" as example is nonsense because it does not
exist, it's AES256/SHA384 or AES128/SHA256 and facing such mistake i
don't want to look at the rest - i suggest don't touch such settings
until you understand what you are doing
try that one:
CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
________________________
"openssl ciphers -v" will give you valid ciphers
[harry@rh:~]$ openssl ciphers -v | grep GCM | grep AES128
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128)
Mac=AEAD