From 2df761b58ee7820f150d4e622d1925fb70f6f051 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 8 Mar 2018 17:28:27 +0200 Subject: [PATCH] Disallow TLS v1.0 from HAProxy This forces HAProxy to only accept newer versions of TLS, which allows us to meet FedRAMP requirements. Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439 Related-Bug: #1754368 (cherry picked from commit ebde918b0f0cea8715a30f57ca7c2683dd477c50) --- manifests/haproxy.pp | 4 ++-- releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 569c992a9..d1251631a 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -153,7 +153,7 @@ # # [*ssl_options*] # String that sets the default ssl options to force on all "bind" lines. -# Defaults to 'no-sslv3' +# Defaults to 'no-sslv3 no-tlsv10' # # [*ca_bundle*] # Path to the CA bundle to be used for HAProxy to validate the certificates of @@ -605,7 +605,7 @@ class tripleo::haproxy ( $internal_certificates_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', - $ssl_options = 'no-sslv3', + $ssl_options = 'no-sslv3 no-tlsv10', $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $crl_file = undef, $haproxy_stats_certificate = undef, diff --git a/releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml b/releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml new file mode 100644 index 000000000..674b152f7 --- /dev/null +++ b/releasenotes/notes/No-TLS-v1.0-0edeac680bb51f94.yaml @@ -0,0 +1,4 @@ +--- +security: + - | + TLS v1.0 connections are no longer accepted by our HAProxy configuration.