From 16df54eaa532025f674cffcf7e7d2b1bde56e98f Mon Sep 17 00:00:00 2001 From: Kevin Tibi Date: Thu, 19 Jul 2018 11:38:53 +0200 Subject: [PATCH] Disable TLS 1.1 on haproxy While it is possible to implement countermeasures against some attacks on TLS, migrating to a later version of TLS (TLS 1.2 is strongly encouraged) is the only reliable method to protect against the current protocol vulnerabilities.[1] [1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b --- ansible/roles/haproxy/templates/haproxy.cfg.j2 | 2 +- releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 index fffe96fa89..4d87acde80 100644 --- a/ansible/roles/haproxy/templates/haproxy.cfg.j2 +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -16,7 +16,7 @@ global stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 {% if kolla_enable_tls_external | bool %} ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES - ssl-default-bind-options no-sslv3 no-tlsv10 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 tune.ssl.default-dh-param 4096 {% endif %} diff --git a/releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml b/releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml new file mode 100644 index 0000000000..e8ee865ca1 --- /dev/null +++ b/releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Disable TLS 1.1 on haproxy for external network if + tls is enabled.