Disable TLS 1.1 on haproxy

While it is possible to implement countermeasures against some attacks on TLS, migrating to a later version of TLS (TLS 1.2 is strongly encouraged) is the only reliable method to protect against the current protocol vulnerabilities.[1] [1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b

Disable TLS 1.1 on haproxy
16df54ea · Kevin Tibi · b699413a · 16df54ea · 16df54ea
Commit 16df54ea authored 6 years ago by Kevin Tibi
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -16,7 +16,7 @@ global
  stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660
 {% if kolla_enable_tls_external | bool %}
  ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
-  ssl-default-bind-options no-sslv3 no-tlsv10
+  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
  tune.ssl.default-dh-param 4096
 {% endif %}


--- a/releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml
+++ b/releasenotes/notes/disable_tlsv11-51d6be67d593f7ab.yaml
+---
+security:
+  - |
+    Disable TLS 1.1 on haproxy for external network if
+    tls is enabled.