Skip to content
This repository has been archived by the owner on Dec 4, 2024. It is now read-only.

Remove TLS 1.0 from the default HAProxy SSL options #176

Merged
merged 1 commit into from
Apr 30, 2016

Conversation

mattkirman
Copy link
Contributor

PCI-DSS 3.1 states that SSL and TLS 1.0 can no longer be used for new implementations after June 30, 2016 (existing implementations now have until June 2018 to migrate).

This PR removes TLS 1.0 support from HAProxy as most browsers/OS combinations currently support TLS 1.1 or greater by default (the exception being anyone stuck on Windows Vista or earlier). As this is effectively a breaking change for those that have to support old clients it may be desirable to place this behind a flag instead?

Ref: http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

@brndnmtthws
Copy link
Contributor

Seems reasonable. I prefer "secure by default", but obviously this will break compatibility for old clients.

I'd like to gather some feedback before I merge this.

@air
Copy link

air commented Apr 29, 2016

+1 for secure by default.
If customers were to ask for it (likely they won't) we could add an opt-in flag to re-enable TLS 1.0.

@lloesche
Copy link
Contributor

@brndnmtthws my two cents: I prefer secure by default as well. Let's create a tag and add a disclaimer in the README that tells folks something along the lines of

Note: For security reasons versions of marathon-lb vX.XX and later disable TLS 1.0 by default. If you require TLS 1.0 you will have to re-enable it manually in the templates.

@brndnmtthws brndnmtthws merged commit c025439 into d2iq-archive:master Apr 30, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants