Merge "Adjust default configuration to support TLS v1.3"

defaults/main.yml

@@ -88,8 +88,12 @@ haproxy_ssl: true
 haproxy_ssl_all_vips: false
 haproxy_ssl_dh_param: 2048
 haproxy_ssl_cert_path: /etc/haproxy/ssl
-haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
-haproxy_ssl_bind_options: "force-tlsv12"
+haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers"
+haproxy_ssl_server_options: "ssl-min-ver TLSv1.2"
+# TLS v1.2 and below
+haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}"
+# TLS v1.3
+haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
 
 # haproxy self signed certificate
 

releasenotes/notes/tls_variables-91160d4e38085de4.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The HAProxy role now supports TLS v1.3 by default, alongside TLS v1.2.
+deprecations:
+  - |
+    The variable 'haproxy_ssl_cipher_suite' is deprecated in favour of
+    'haproxy_ssl_cipher_suite_tls12' which will continue to manage
+    configuration of ciphers for TLS v1.2 and earlier.

templates/haproxy.cfg.j2

@@ -23,7 +23,16 @@ global
 {% endif %}
         {% if haproxy_ssl | bool %}
         ssl-default-bind-options {{ haproxy_ssl_bind_options }}
-        tune.ssl.default-dh-param {{haproxy_ssl_dh_param}}
+        ssl-default-server-options {{ haproxy_ssl_server_options }}
+        {% if haproxy_ssl_cipher_suite_tls13 != "" -%}
+        ssl-default-bind-ciphersuites {{ haproxy_ssl_cipher_suite_tls13 }}
+        ssl-default-server-ciphersuites {{ haproxy_ssl_cipher_suite_tls13 }}
+        {% endif -%}
+        {% if haproxy_ssl_cipher_suite_tls12 != "" -%}
+        ssl-default-bind-ciphers {{ haproxy_ssl_cipher_suite_tls12 }}
+        ssl-default-server-ciphers {{ haproxy_ssl_cipher_suite_tls12 }}
+        {% endif -%}
+        tune.ssl.default-dh-param {{ haproxy_ssl_dh_param }}
         {% endif %}
 
 defaults
@@ -40,7 +49,7 @@ defaults
 
 {% if haproxy_stats_enabled | bool %}
 listen stats
-    bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
+    bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem{% endif %}
 
 {% if haproxy_stats_process is defined %}
     bind-process {{ haproxy_stats_process }}

templates/service.j2

@@ -37,7 +37,7 @@ bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
 {% endif %}
 
 frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
-    bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
+    bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem {% endif %}
 
 {% if request_option == "http" %}
     option httplog