diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index a27f03962..65767a88a 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
PLUGIN_NAME= haproxy
-PLUGIN_VERSION= 2.24
+PLUGIN_VERSION= 2.25
PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer
PLUGIN_DEPENDS= haproxy20
PLUGIN_MAINTAINER= opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index be9ec9837..0f76d393a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
Plugin Changelog
================
+2.25
+
+Added:
+* add support for TLSv1.3 (#790)
+
2.24
Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 32e200eb9..754bd8b03 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -98,11 +98,29 @@
true
+
+ frontend.ssl_minVersion
+
+ dropdown
+
+
+
+ frontend.ssl_maxVersion
+
+ dropdown
+
+
frontend.ssl_cipherList
text
-
+
+
+
+ frontend.ssl_cipherSuites
+
+ text
+
frontend.ssl_hstsEnabled
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index a5abb322c..33081d576 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -93,10 +93,28 @@
true
+
+ haproxy.general.tuning.ssl_minVersion
+
+ dropdown
+
+
+
+ haproxy.general.tuning.ssl_maxVersion
+
+ dropdown
+
+
haproxy.general.tuning.ssl_cipherList
text
-
+
+
+
+ haproxy.general.tuning.ssl_cipherSuites
+
+ text
+
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 914f3b74d..87f42e7f9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -136,18 +136,44 @@
no-tlsv10
no-tlsv11
no-tlsv12
+ no-tlsv13
no-tls-tickets
force-sslv3
force-tlsv10
force-tlsv11
force-tlsv12
+ force-tlsv13
strict-sni
+
+ N
+
+ SSLv3
+ TLSv1.0
+ TLSv1.1
+ TLSv1.2
+ TLSv1.3
+
+
+
+ N
+
+ SSLv3
+ TLSv1.0
+ TLSv1.1
+ TLSv1.2
+ TLSv1.3
+
+
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
N
+
+ TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+ N
+
@@ -442,18 +468,44 @@
no-tlsv10
no-tlsv11
no-tlsv12
+ no-tlsv13
no-tls-tickets
force-sslv3
force-tlsv10
force-tlsv11
force-tlsv12
+ force-tlsv13
strict-sni
+
+ N
+
+ SSLv3
+ TLSv1.0
+ TLSv1.1
+ TLSv1.2
+ TLSv1.3
+
+
+
+ N
+
+ SSLv3
+ TLSv1.0
+ TLSv1.1
+ TLSv1.2
+ TLSv1.3
+
+
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
N
+
+ TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+ N
+
1
Y
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 10dd9c495..1796018a4 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -869,16 +869,27 @@ global
{% endif %}
{# # ssl default settings #}
{% if OPNsense.HAProxy.general.tuning.ssl_defaultsEnabled|default("") == '1' %}
+{% set bindopts = [] %}
{% if OPNsense.HAProxy.general.tuning.ssl_bindOptions|default("") != "" %}
-{% set bindopts = [] %}
{% for bindopt in OPNsense.HAProxy.general.tuning.ssl_bindOptions.split(",") %}
{% do bindopts.append(bindopt) %}
{% endfor %}
+{% endif %}
+{% if OPNsense.HAProxy.general.tuning.ssl_minVersion|default("") != "" %}
+{% do bindopts.append('ssl-min-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_minVersion) %}
+{% endif %}
+{% if OPNsense.HAProxy.general.tuning.ssl_maxVersion|default("") != "" %}
+{% do bindopts.append('ssl-max-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_maxVersion) %}
+{% endif %}
+{% if (bindopts is defined and bindopts|default("") != "" )%}
ssl-default-bind-options {{ bindopts|join(' ') }}
{% endif %}
{% if OPNsense.HAProxy.general.tuning.ssl_cipherList|default("") != "" %}
ssl-default-bind-ciphers {{ OPNsense.HAProxy.general.tuning.ssl_cipherList }}
{% endif %}
+{% if OPNsense.HAProxy.general.tuning.ssl_cipherSuites|default("") != "" %}
+ ssl-default-bind-ciphersuites {{ OPNsense.HAProxy.general.tuning.ssl_cipherSuites }}
+{% endif %}
{% endif %}
{# # pass-through options #}
{% if OPNsense.HAProxy.general.tuning.customOptions|default("") != "" %}
@@ -1064,9 +1075,18 @@ frontend {{frontend.name}}
{% do ssl_options.append(bindopt) %}
{% endfor %}
{% endif %}
+{% if frontend.ssl_minVersion|default("") != "" %}
+{% do ssl_options.append('ssl-min-ver ' ~ frontend.ssl_minVersion) %}
+{% endif %}
+{% if frontend.ssl_maxVersion|default("") != "" %}
+{% do ssl_options.append('ssl-max-ver ' ~ frontend.ssl_maxVersion) %}
+{% endif %}
{% if frontend.ssl_cipherList|default("") != "" %}
{% do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
{% endif %}
+{% if frontend.ssl_cipherSuites|default("") != "" %}
+{% do ssl_options.append('ciphersuites ' ~ frontend.ssl_cipherSuites) %}
+{% endif %}
{# # HSTS #}
{% if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}
{% set hsts_options = [] %}