I just learned that my load balancer is vulnerable to the POODLE attack due to SSL 3. The recommended solution is to disable SSL 3.
I explained my HAProxy setup in a previous post, and also how I do SSL termination.
The section from my configuration I care about is:
1
2
3
4
5
6
frontend https-in
bind *:443 ssl crt /certs/ncona.pem
acl ncona-web-frontend hdr(host) -i ncona.com www.ncona.com
use_backend ncona-web if ncona-web-frontend
This mode is called SSL offloading in HAProxy terms. Fixing it is as simple as adding a keyword (no-sslv3):
1
bind *:443 ssl crt /certs/ncona.pem no-sslv3
linux security