Fix for SSL Freak vulnerability

This fix pushes selected set of secure ciphers into haproxy config file. Change-Id: I3d93da64aa48c42b7150ca7846215b51df5274ba Closes-Bug: #1477400
Juniper · Jul 23, 2015 · 59937d4 · 59937d4
1 parent e1cc50e
commit 59937d4
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/vnsw/agent/oper/loadbalancer_haproxy.cc b/src/vnsw/agent/oper/loadbalancer_haproxy.cc
@@ -61,6 +61,12 @@ void LoadbalancerHaproxy::GenerateGlobal(
     *out << string(4, ' ') << "daemon" << endl;
     *out << string(4, ' ') << "user nobody" << endl;
     *out << string(4, ' ') << "group nogroup" << endl;
+    *out << string(4, ' ') << "tune.ssl.default-dh-param 2048" << endl;
+    *out << string(4, ' ') << "ssl-default-bind-ciphers " <<
+                              "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:" <<
+                              "DH+AES256:ECDH+AES128:DH+AES:" <<
+                              "ECDH+3DES:DH+3DES:RSA+AESGCM:" <<
+                              "RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" << endl;
     *out << endl;
 }