Disallow TLS v1.0 from HAProxy
This forces HAProxy to only accept newer versions of TLS, which allows
us to meet FedRAMP requirements.
Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
Related-Bug: #1754368
(cherry picked from commit ebde918b0f
)
This commit is contained in:
parent
2bad92b5a5
commit
30c7009ce6
|
@ -135,7 +135,7 @@
|
|||
#
|
||||
# [*ssl_options*]
|
||||
# String that sets the default ssl options to force on all "bind" lines.
|
||||
# Defaults to 'no-sslv3'
|
||||
# Defaults to 'no-sslv3 no-tlsv10'
|
||||
#
|
||||
# [*ca_bundle*]
|
||||
# Path to the CA bundle to be used for HAProxy to validate the certificates of
|
||||
|
@ -548,7 +548,7 @@ class tripleo::haproxy (
|
|||
$internal_certificates_specs = {},
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
|
||||
$ssl_options = 'no-sslv3',
|
||||
$ssl_options = 'no-sslv3 no-tlsv10',
|
||||
$ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
|
||||
$haproxy_stats_certificate = undef,
|
||||
$keystone_admin = hiera('keystone_enabled', false),
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
TLS v1.0 connections are no longer accepted by our HAProxy configuration.
|
Loading…
Reference in New Issue