From 722886b7faceb6e03545fb9ad1552ea0aac179d8 Mon Sep 17 00:00:00 2001
From: Varun Lodaya <Varun_Lodaya@symantec.com>
Date: Thu, 23 Jul 2015 14:13:52 -0700
Subject: [PATCH] Fix for FREAK SSL vulnerability

This fix pushes selected set of secure ciphers into
haproxy config file

Change-Id: I7aff0fab44484fb235ee0432dbee8dc13efc3a63
Closes-Bug: #1477400
---
 src/vnsw/agent/oper/loadbalancer_haproxy.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/vnsw/agent/oper/loadbalancer_haproxy.cc b/src/vnsw/agent/oper/loadbalancer_haproxy.cc
index cfdc45716c0..2b22542d268 100644
--- a/src/vnsw/agent/oper/loadbalancer_haproxy.cc
+++ b/src/vnsw/agent/oper/loadbalancer_haproxy.cc
@@ -64,6 +64,12 @@ void LoadbalancerHaproxy::GenerateGlobal(
     *out << string(4, ' ') << "group nogroup" << endl;
     *out << string(4, ' ') << "stats socket " << filename
                            << ".sock mode 0666 level user" << endl;
+    *out << string(4, ' ') << "tune.ssl.default-dh-param 2048" << endl;
+    *out << string(4, ' ') << "ssl-default-bind-ciphers " <<
+                              "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:" <<
+                              "DH+AES256:ECDH+AES128:DH+AES:" <<
+                              "ECDH+3DES:DH+3DES:RSA+AESGCM:" <<
+                              "RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" << endl;
     *out << endl;
 }