Ability to specify the ssl protocol and ciphers for a frontend

[borq79]

When SSL termination is done at the HAProxy level (rather than at an AWS ELB for example) It would be very nice to be able to specify the protocols and limit/modify the cipher list that we want to support on a frontend. More specifically, the HAProxy line for a frontend bind as seen below (the force-tlsv12 and ciphers list). This is helpful in limiting a connection not only to TLS1.2 (and eventually TLSv1.3) but also lets someone control what ciphers they wish to limit to based on their security policy (akin to how you can adjust the security policy on an AWS ELB when terminating SSL at the ELB level).

bind *:8443 [SSL STUFF HERE] required force-tlsv12 ciphers ECDH+AES256:DH+AES256:DH+3DES:RSA+AESGCM:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

[gurrish]

I've been looking for a configuration that allows me to set TLS version to restrict to only allow TLS1.2 as well, but I wasn't able to find it. Since this issue exist, I guess that I can stop looking...

[rbrockz]

Any word on this request?

[blop]

We need to support older devices with TLS 1.0. Currently, the only way to do so is forking the http-frontend.cfg template.

A more direct option to fine-tune the SSL (ciphers/versions) would be nice.