openstack
/
openstack-ansible-haproxy_server
Code Issues Proposed changes

Force force-tlsv12 only 

Secure by default

Change-Id: I70007af94bfd5e482662ab72d25bf090cf5d0834
This commit is contained in:
Matthew Thode 2018-12-04 10:30:33 -06:00
parent 08455bb0ba
commit 547d7f91be
No known key found for this signature in database
GPG Key ID: 64A37BEAAE19A4E8
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -68,7 +68,7 @@ haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
haproxy_ssl_bind_options: "no-sslv3"
haproxy_ssl_bind_options: "force-tlsv12"
# hatop extra package URL and checksum
haproxy_hatop_download_url: "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/hatop/hatop-0.7.7.tar.gz"

7
releasenotes/notes/tls12-only-a22d5f3f8198617f.yaml Normal file
View File

@ -0,0 +1,7 @@
---
security:
- |
The default TLS version has been set to force-tlsv12. This only allows
version 1.2 of the protocol to be used when terminating or creating TLS
connections. You can change the value with the haproxy_ssl_bind_options
variable.