Disable SSLv3

Add the 'ssl-default-bind-options no-sslv3' option to the configuration file so that SSLv3 is not enabled. Change-Id: I2d06189e61064d9af10bea1091fba31163331379 Closes-Bug: 1640560
2016-11-09 12:19:44 -06:00 · 2016-11-09 12:19:44 -06:00 · 1716a70703
commit 1716a70703
parent d7cc047f8d
2 changed files with 7 additions and 1 deletions
--- a/releasenotes/notes/disable-sslv3-303acdcc6b593180.yaml
+++ b/releasenotes/notes/disable-sslv3-303acdcc6b593180.yaml
@ -0,0 +1,3 @@
+---
+fixes:
+  - SSLv3 is now disabled in the haproxy daemon configuration by default.
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@ -10,7 +10,10 @@ global
        maxconn 4096
        tune.bufsize 384000
        stats socket /var/run/haproxy.stat level admin mode 600
-        {% if haproxy_ssl | bool %}tune.ssl.default-dh-param {{haproxy_ssl_dh_param}}{% endif %}
+        {% if haproxy_ssl | bool %}
+        ssl-default-bind-options no-sslv3
+        tune.ssl.default-dh-param {{haproxy_ssl_dh_param}}
+        {% endif %}

 defaults
        log global