Comment 6 for bug 2065798

Commands I used for reproducing the issue and verifying the fix:

LBNAME='lb-c2'
TLSOPTS="--tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256 --tls-version TLSv1.2 --tls-version TLSv1.3"
openstack loadbalancer create --wait --vip-subnet-id public-subnet --name $LBNAME
openstack loadbalancer listener create --wait --name ls-c --protocol TERMINATED_HTTPS --protocol-port 443 ${TLSOPTS} --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') $LBNAME
openstack loadbalancer pool create --wait --listener ls-c --protocol HTTP --lb-algorithm ROUND_ROBIN --enable-tls ${TLSOPTS} --name pl-c
openstack loadbalancer member create pl-c --wait --address 10.0.0.43 --protocol-port 80 --name mem1-c

ssh -o StrictHostKeyChecking=no -i /etc/octavia/.ssh/octavia_ssh_key cloud-user@$(openstack loadbalancer amphora list -f value -c lb_network_ip) sudo cat /var/lib/octavia/*/haproxy.cfg | grep cipher

Output (with fix):
    bind 172.24.4.71:443 ssl crt-list /var/lib/octavia/certs/c0d38597-d13b-4e39-a1aa-25cf67ededa3/6001b31a-f1f4-4a0c-81e5-19b61542caac.pem ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256 ciphersuites TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1,http/1.0
    server 1a72edbf-d4d4-47b9-a2b2-15ffc114609d 10.0.0.43:80 weight 1 ssl verify none sni ssl_fc_sni ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256 ciphersuites TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1,http/1.0