Disable TLS 1.1 on haproxy

While it is possible to implement countermeasures against some attacks
on TLS, migrating to a later version of TLS (TLS 1.2 is strongly
encouraged) is the only reliable method to protect against
the current protocol vulnerabilities.[1]

[1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b
This commit is contained in:
Kevin Tibi 2018-07-19 11:38:53 +02:00
parent b699413aba
commit 16df54eaa5
2 changed files with 6 additions and 1 deletions

View File

@ -16,7 +16,7 @@ global
stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660
{% if kolla_enable_tls_external | bool %} {% if kolla_enable_tls_external | bool %}
ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
ssl-default-bind-options no-sslv3 no-tlsv10 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
tune.ssl.default-dh-param 4096 tune.ssl.default-dh-param 4096
{% endif %} {% endif %}

View File

@ -0,0 +1,5 @@
---
security:
- |
Disable TLS 1.1 on haproxy for external network if
tls is enabled.