From 488f753d5753a8f793378f5b6e1faecce0660631 Mon Sep 17 00:00:00 2001
From: Varun Lodaya <Varun_Lodaya@symantec.com>
Date: Thu, 23 Jul 2015 14:09:03 -0700
Subject: [PATCH] Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: Idfc11ce0411024e7154d3b2c46a095fb4f80337d
Closes-Bug: #1477400
---
 .../opencontrail_vrouter_netns/haproxy_config.py           | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/vnsw/opencontrail-vrouter-netns/opencontrail_vrouter_netns/haproxy_config.py b/src/vnsw/opencontrail-vrouter-netns/opencontrail_vrouter_netns/haproxy_config.py
index 6f7c6cf4102..9c9f7319828 100644
--- a/src/vnsw/opencontrail-vrouter-netns/opencontrail_vrouter_netns/haproxy_config.py
+++ b/src/vnsw/opencontrail-vrouter-netns/opencontrail_vrouter_netns/haproxy_config.py
@@ -51,7 +51,12 @@ def _set_global_config(config, sock_path):
         'user nobody',
         'group nogroup',
         'log /dev/log local0',
-        'log /dev/log local1 notice'
+        'log /dev/log local1 notice',
+        'tune.ssl.default-dh-param 2048',
+        'ssl-default-bind-ciphers ECDH+AESGCM:' \
+        'DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:' \
+        'DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:' \
+        'RSA+3DES:!aNULL:!MD5:!DSS'
     ]
     conf.append('stats socket %s mode 0666 level user' % sock_path)
     return ("\n\t".join(conf))