Disallow TLS v1.0 from HAProxy

This forces HAProxy to only accept newer versions of TLS, which allows us to meet FedRAMP requirements. Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439 Related-Bug: #1754368 (cherry picked from commit ebde918b0f)
2018-03-08 17:28:27 +02:00 · 2018-03-08 17:28:27 +02:00 · 2df761b58e
parent c95c51c951
commit 2df761b58e
2 changed files with 6 additions and 2 deletions
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -153,7 +153,7 @@
 #
 # [*ssl_options*]
 #  String that sets the default ssl options to force on all "bind" lines.
-#  Defaults to 'no-sslv3'
+#  Defaults to 'no-sslv3 no-tlsv10'
 #
 # [*ca_bundle*]
 #  Path to the CA bundle to be used for HAProxy to validate the certificates of
@ -605,7 +605,7 @@ class tripleo::haproxy (
  $internal_certificates_specs = {},
  $enable_internal_tls         = hiera('enable_internal_tls', false),
  $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
-  $ssl_options                 = 'no-sslv3',
+  $ssl_options                 = 'no-sslv3 no-tlsv10',
  $ca_bundle                   = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
  $crl_file                    = undef,
  $haproxy_stats_certificate   = undef,
--- a/releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml
+++ b/releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml
@ -0,0 +1,4 @@
+---
+security:
+  - |
+    TLS v1.0 connections are no longer accepted by our HAProxy configuration.