From 1716a7070341dbef6436f27709d18f07cf75e65f Mon Sep 17 00:00:00 2001
From: "Kyle L. Henderson" <kyleh@us.ibm.com>
Date: Wed, 9 Nov 2016 12:19:44 -0600
Subject: [PATCH] Disable SSLv3

Add the 'ssl-default-bind-options no-sslv3' option to the
configuration file so that SSLv3 is not enabled.

Change-Id: I2d06189e61064d9af10bea1091fba31163331379
Closes-Bug: 1640560
---
 releasenotes/notes/disable-sslv3-303acdcc6b593180.yaml | 3 +++
 templates/haproxy.cfg.j2                               | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/disable-sslv3-303acdcc6b593180.yaml

diff --git a/releasenotes/notes/disable-sslv3-303acdcc6b593180.yaml b/releasenotes/notes/disable-sslv3-303acdcc6b593180.yaml
new file mode 100644
index 0000000..778c13a
--- /dev/null
+++ b/releasenotes/notes/disable-sslv3-303acdcc6b593180.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+  - SSLv3 is now disabled in the haproxy daemon configuration by default.
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index df09c1b..7dc7a43 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -10,7 +10,10 @@ global
         maxconn 4096
         tune.bufsize 384000
         stats socket /var/run/haproxy.stat level admin mode 600
-        {% if haproxy_ssl | bool %}tune.ssl.default-dh-param {{haproxy_ssl_dh_param}}{% endif %}
+        {% if haproxy_ssl | bool %}
+        ssl-default-bind-options no-sslv3
+        tune.ssl.default-dh-param {{haproxy_ssl_dh_param}}
+        {% endif %}
 
 defaults
         log global