From 547d7f91be7c73c81abccb91ffa3b973ed62b37f Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Tue, 4 Dec 2018 10:30:33 -0600 Subject: [PATCH] Force force-tlsv12 only Secure by default Change-Id: I70007af94bfd5e482662ab72d25bf090cf5d0834 --- defaults/main.yml | 2 +- releasenotes/notes/tls12-only-a22d5f3f8198617f.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/tls12-only-a22d5f3f8198617f.yaml diff --git a/defaults/main.yml b/defaults/main.yml index d552304..6d9eaca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -68,7 +68,7 @@ haproxy_ssl_pem: /etc/ssl/private/haproxy.pem haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" -haproxy_ssl_bind_options: "no-sslv3" +haproxy_ssl_bind_options: "force-tlsv12" # hatop extra package URL and checksum haproxy_hatop_download_url: "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/hatop/hatop-0.7.7.tar.gz" diff --git a/releasenotes/notes/tls12-only-a22d5f3f8198617f.yaml b/releasenotes/notes/tls12-only-a22d5f3f8198617f.yaml new file mode 100644 index 0000000..674f075 --- /dev/null +++ b/releasenotes/notes/tls12-only-a22d5f3f8198617f.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + The default TLS version has been set to force-tlsv12. This only allows + version 1.2 of the protocol to be used when terminating or creating TLS + connections. You can change the value with the haproxy_ssl_bind_options + variable.