haproxy-config.template: Allow empty ciphers

Allow the empty value for TLS ciphers (TLSv1.2 and earlier) and cipher
suites (TLSv1.3), and use the empty value instead of setting a default
value.  Specifying the empty value means that the corresponding TLS
version cannot be used.

This commit fixes bug OCPBUGS-58040.

https://issues.redhat.com/browse/OCPBUGS-58040

* haproxy-config.template: Allow the empty value for ROUTER_CIPHERS and
ROUTER_CIPHERSUITES.  Rather than using a default value, pass an empty
value through to HAProxy (which in turn passes it through to OpenSSL).

Author: Miciah

images/router/haproxy/conf/haproxy-config.template

@@ -5,7 +5,7 @@
 */}}
 {{- define "conf/haproxy.config" }}
 {{- $workingDir := .WorkingDir }}
-{{- $routerCiphers := env "ROUTER_CIPHERS" "intermediate" }}
+{{- $routerCiphers := env "ROUTER_CIPHERS" }}
 {{- $routerCiphersuites := env "ROUTER_CIPHERSUITES" }}
 {{- $defaultDestinationCA := .DefaultDestinationCA }}
 {{- $dynamicConfigManager := .DynamicConfigManager }}
@@ -90,9 +90,9 @@ global
   ssl-default-bind-options ssl-min-ver {{ env "SSL_MIN_VERSION" "TLSv1.2" }}
 {{- if ne (env "SSL_MAX_VERSION" "") "" }} ssl-max-ver {{env "SSL_MAX_VERSION" }}{{ end }}
 
-# The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS,
-# or the user can provide one using the ROUTER_CIPHERS environment variable.
-# By default when a cipher set is not provided, intermediate is used.
+  # The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS,
+  # or the user can provide one using the ROUTER_CIPHERS environment variable.
+  # ROUTER_CIPHERS may be empty, in which case TLSv1.2 and earlier are not allowed.
   {{- if eq $routerCiphers "modern" }}
   # Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS
   tune.ssl.default-dh-param 2048
@@ -106,19 +106,20 @@ global
   tune.ssl.default-dh-param 1024
   ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
   {{- else }}
-  # user provided list of ciphers (Colon separated list as seen above)
-  # the env default is not used here since we can't get here with empty ROUTER_CIPHERS
+  # User-provided list of ciphers (colon-separated list as seen above).
   tune.ssl.default-dh-param 2048
-  ssl-default-bind-ciphers {{ env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20-POLY1305" }}
+  ssl-default-bind-ciphers "{{ $routerCiphers }}"
   {{- end }}
   {{/*
     The ssl-default-bind-ciphers option above configures ciphers for TLSv1.0,
     TLSv1.1, and TLSv1.2; for TLSv1.3, cipher suites are configured using the
     ssl-default-bind-ciphersuites option below.
   */}}
-  {{- with $routerCiphersuites }}
-  ssl-default-bind-ciphersuites {{ $routerCiphersuites }}
-  {{- end }}
+  # The TLSv1.3 cipher suites are configured separately
+  # using the ROUTER_CIPHERSUITES environment variable.
+  # This list may be empty, in which case TLSv1.3 is not allowed.
+  ssl-default-bind-ciphersuites "{{ $routerCiphersuites }}"
+
   {{- with $captureCookie := .CaptureHTTPCookie }}
     {{- if (gt $captureCookie.MaxLength 63) }}
   tune.http.cookielen {{ $captureCookie.MaxLength }}