From 6622e3d207b42dc99a639d66c2ce7c121dd4107a Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Thu, 4 Jul 2024 08:58:31 +0200
Subject: [PATCH] Haproxy: Minimse the cipher list that is exposed. Logging
 still shows TlSv1.2, so we still support it for a while

---
 roles/haproxy/templates/haproxy_global.cfg.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/haproxy/templates/haproxy_global.cfg.j2 b/roles/haproxy/templates/haproxy_global.cfg.j2
index 3b5ede255..8636b3a1d 100644
--- a/roles/haproxy/templates/haproxy_global.cfg.j2
+++ b/roles/haproxy/templates/haproxy_global.cfg.j2
@@ -12,9 +12,9 @@ global
   ulimit-n    9000
   daemon
   ssl-default-bind-options no-sslv3 no-tls-tickets
-  ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128
   ssl-default-server-options no-sslv3 no-tls-tickets
-  ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128
 {% if haproxy_metricbeat %}
   stats socket 127.0.0.1:14567
 {% endif %}