Disallow TLS v1.0 from HAProxy

This forces HAProxy to only accept newer versions of TLS, which allows us to meet FedRAMP requirements. Conflicts: manifests/haproxy.pp Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439 Related-Bug: #1754368 (cherry picked from commit ebde918b0f)
2018-03-08 17:28:27 +02:00 · 2018-03-08 17:28:27 +02:00 · b83cc42da9
commit b83cc42da9
parent a2b2df9be7
2 changed files with 6 additions and 2 deletions
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -98,7 +98,7 @@
 #
 # [*ssl_options*]
 #  String that sets the default ssl options to force on all "bind" lines.
-#  Defaults to 'no-sslv3'
+#  Defaults to 'no-sslv3 no-tlsv10'
 #
 # [*haproxy_stats_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
@ -327,7 +327,7 @@ class tripleo::haproxy (
  $service_certificate       = undef,
  $internal_certificate      = undef,
  $ssl_cipher_suite          = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
-  $ssl_options               = 'no-sslv3',
+  $ssl_options               = 'no-sslv3 no-tlsv10',
  $haproxy_stats_certificate = undef,
  $keystone_admin            = hiera('keystone_enabled', false),
  $keystone_admin_public     = true,
--- a/releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml
+++ b/releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml
@ -0,0 +1,4 @@
+---
+security:
+  - |
+    TLS v1.0 connections are no longer accepted by our HAProxy configuration.