From c02543929f8f475ac2963fc283fea8a6c5575cea Mon Sep 17 00:00:00 2001
From: Matt Kirman <matt@mattkirman.com>
Date: Sat, 30 Apr 2016 18:06:06 +0100
Subject: [PATCH] Removed TLS 1.0 from the default HAProxy SSL options (#176)

---
 Longhelp.md               | 6 +++---
 config.py                 | 6 +++---
 tests/test_marathon_lb.py | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Longhelp.md b/Longhelp.md
index 79645f96..2f7734d6 100644
--- a/Longhelp.md
+++ b/Longhelp.md
@@ -360,9 +360,9 @@ global
   maxconn 50000
   tune.ssl.default-dh-param 2048
   ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-  ssl-default-bind-options no-sslv3 no-tls-tickets
+  ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
   ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-  ssl-default-server-options no-sslv3 no-tls-tickets
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
   stats socket /var/run/haproxy/socket
   server-state-file global
   server-state-base /var/state/haproxy/
@@ -848,7 +848,7 @@ Specified as `HAPROXY_{n}_BIND_OPTIONS`.
 
 Set additional bind options
 
-Ex: `HAPROXY_0_BIND_OPTIONS = 'ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3'`
+Ex: `HAPROXY_0_BIND_OPTIONS = 'ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-tlsv10 no-sslv3'`
                     
 
 ## `HAPROXY_DEPLOYMENT_ALT_PORT`
diff --git a/config.py b/config.py
index eb7ce670..ce9cf882 100644
--- a/config.py
+++ b/config.py
@@ -41,7 +41,7 @@ def load(self):
 DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
 EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:\
 AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-  ssl-default-bind-options no-sslv3 no-tls-tickets
+  ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
   ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:\
 ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:\
@@ -53,7 +53,7 @@ def load(self):
 DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
 EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:\
 AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-  ssl-default-server-options no-sslv3 no-tls-tickets
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
   stats socket /var/run/haproxy/socket
   server-state-file global
   server-state-base /var/state/haproxy/
@@ -1188,7 +1188,7 @@ def __init__(self, name, func, description, perServicePort=True):
 Set additional bind options
 
 Ex: `HAPROXY_0_BIND_OPTIONS = 'ciphers AES128+EECDH:AES128+EDH force-tlsv12\
- no-sslv3'`
+ no-sslv3 no-tlsv10'`
                     '''))
 labels.append(Label(name='BIND_ADDR',
                     func=set_bindAddr,
diff --git a/tests/test_marathon_lb.py b/tests/test_marathon_lb.py
index d4418662..d12de412 100644
--- a/tests/test_marathon_lb.py
+++ b/tests/test_marathon_lb.py
@@ -24,7 +24,7 @@ def setUp(self):
 DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
 EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:\
 AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-  ssl-default-bind-options no-sslv3 no-tls-tickets
+  ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
   ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:\
 ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:\
@@ -36,7 +36,7 @@ def setUp(self):
 DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:\
 EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:\
 AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-  ssl-default-server-options no-sslv3 no-tls-tickets
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tls-tickets
   stats socket /var/run/haproxy/socket
   server-state-file global
   server-state-base /var/state/haproxy/