I just learned that my load balancer is vulnerable to the POODLE attack due to SSL 3. The recommended solution is to disable SSL 3.
I explained my HAProxy setup in a previous post, and also how I do SSL termination.
The section from my configuration I care about is:
1 2 3 4 5 6 frontend https-in bind *:443 ssl crt /certs/ncona.pem acl ncona-web-frontend hdr(host) -i ncona.com www.ncona.com use_backend ncona-web if ncona-web-frontend
This mode is called SSL offloading in HAProxy terms. Fixing it is as simple as adding a keyword (no-sslv3):
1 bind *:443 ssl crt /certs/ncona.pem no-sslv3