Disallow TLS v1.0 from HAProxy
This forces HAProxy to only accept newer versions of TLS, which allows us to meet FedRAMP requirements. Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439 Related-Bug: #1754368
This commit is contained in:
parent
bd5599ca59
commit
ebde918b0f
@ -144,7 +144,7 @@
|
||||
#
|
||||
# [*ssl_options*]
|
||||
# String that sets the default ssl options to force on all "bind" lines.
|
||||
# Defaults to 'no-sslv3'
|
||||
# Defaults to 'no-sslv3 no-tlsv10'
|
||||
#
|
||||
# [*ca_bundle*]
|
||||
# Path to the CA bundle to be used for HAProxy to validate the certificates of
|
||||
@ -587,7 +587,7 @@ class tripleo::haproxy (
|
||||
$internal_certificates_specs = {},
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
|
||||
$ssl_options = 'no-sslv3',
|
||||
$ssl_options = 'no-sslv3 no-tlsv10',
|
||||
$ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
|
||||
$crl_file = undef,
|
||||
$haproxy_stats_certificate = undef,
|
||||
|
4
releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml
Normal file
4
releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
security:
|
||||
- |
|
||||
TLS v1.0 connections are no longer accepted by our HAProxy configuration.
|
Loading…
x
Reference in New Issue
Block a user