How to secure SSL/TLS configuration of Red Hat OpenStack Platform against DROWN and Poodle Attack

Solution In Progress - Updated -

Issue

Note: For later versions of OSP, see the documentation. E.g., for OSP 13, refer to: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#changing_the_ssl_tls_cipher_and_rules_for_haproxy

A verification via an SSL analyzer (e.g. ssllabs ) of horizon and swift endpoints receives classification F due the fact that the SSL/TLS configuration is vulnerable for Poodle and DROWN attack. How can one fix that?

Some of the error message that one might see in addition to poodle:

 - DROWN attack (Experimental: This server is vulnerable to the DROWN attack. Grade set to F.) *
 - Weak Diffie-Hellman *
 - This server accepts RC4 cipher, but only with older protocol versions *
 - This server's certificate chain is incomplete *

Environment

Red Hat Enterprise Linux OpenStack Platform 7.0
Red Hat OpenStack Platform 8.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content