tls1.2: update ciphers to latest recommendations

Based upon usual recommendations from: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ Change-Id: I6e549ab3ffcacebe04e188cbf34d8707fb0fe05d
2022-08-05 10:43:31 +01:00 · 2022-08-05 10:43:31 +01:00 · 8dc0ff4e1f
parent 06e76706c7
commit 8dc0ff4e1f
1 changed files with 1 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -95,7 +95,7 @@ haproxy_ssl_cert_path: /etc/haproxy/ssl
 haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers"
 haproxy_ssl_server_options: "ssl-min-ver TLSv1.2"
 # TLS v1.2 and below
-haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}"
+haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}"
 # TLS v1.3
 haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"