openstack/puppet-tripleo
Code Issues Proposed changes

Disallow TLS v1.0 from HAProxy

Browse Source 
This forces HAProxy to only accept newer versions of TLS, which allows
us to meet FedRAMP requirements.

Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
Related-Bug: #1754368
This commit is contained in:
Juan Antonio Osorio Robles
2018-03-08 17:28:27 +02:00
committed by Alex Schultz
parent bd5599ca59
commit ebde918b0f
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/haproxy.pp
View File

@@ -144,7 +144,7 @@
# #
# [*ssl_options*] # [*ssl_options*]
# String that sets the default ssl options to force on all "bind" lines. # String that sets the default ssl options to force on all "bind" lines.
# Defaults to 'no-sslv3' # Defaults to 'no-sslv3 no-tlsv10'
# #
# [*ca_bundle*] # [*ca_bundle*]
# Path to the CA bundle to be used for HAProxy to validate the certificates of # Path to the CA bundle to be used for HAProxy to validate the certificates of
@@ -587,7 +587,7 @@ class tripleo::haproxy (
$internal_certificates_specs = {}, $internal_certificates_specs = {},
$enable_internal_tls = hiera('enable_internal_tls', false), $enable_internal_tls = hiera('enable_internal_tls', false),
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3', $ssl_options = 'no-sslv3 no-tlsv10',
$ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
$crl_file = undef, $crl_file = undef,
$haproxy_stats_certificate = undef, $haproxy_stats_certificate = undef,

4
releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml Normal file
View File

@@ -0,0 +1,4 @@
---
security:
- |
TLS v1.0 connections are no longer accepted by our HAProxy configuration.