Disable TLS 1.1 on haproxy
While it is possible to implement countermeasures against some attacks on TLS, migrating to a later version of TLS (TLS 1.2 is strongly encouraged) is the only reliable method to protect against the current protocol vulnerabilities.[1] [1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b
This commit is contained in:
parent
b699413aba
commit
16df54eaa5
@ -16,7 +16,7 @@ global
|
|||||||
stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660
|
stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660
|
||||||
{% if kolla_enable_tls_external | bool %}
|
{% if kolla_enable_tls_external | bool %}
|
||||||
ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
|
ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
|
||||||
ssl-default-bind-options no-sslv3 no-tlsv10
|
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
|
||||||
tune.ssl.default-dh-param 4096
|
tune.ssl.default-dh-param 4096
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
5
releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml
Normal file
5
releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Disable TLS 1.1 on haproxy for external network if
|
||||||
|
tls is enabled.
|
Loading…
Reference in New Issue
Block a user