Commands I used for reproducing the issue and verifying the fix:
LBNAME='lb-c2' TLSOPTS="--tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256 --tls-version TLSv1.2 --tls-version TLSv1.3" openstack loadbalancer create --wait --vip-subnet-id public-subnet --name $LBNAME openstack loadbalancer listener create --wait --name ls-c --protocol TERMINATED_HTTPS --protocol-port 443 ${TLSOPTS} --default-tls-container=$(openstack secret list | awk '/ tls_secret1 / {print $2}') $LBNAME openstack loadbalancer pool create --wait --listener ls-c --protocol HTTP --lb-algorithm ROUND_ROBIN --enable-tls ${TLSOPTS} --name pl-c openstack loadbalancer member create pl-c --wait --address 10.0.0.43 --protocol-port 80 --name mem1-c
ssh -o StrictHostKeyChecking=no -i /etc/octavia/.ssh/octavia_ssh_key cloud-user@$(openstack loadbalancer amphora list -f value -c lb_network_ip) sudo cat /var/lib/octavia/*/haproxy.cfg | grep cipher
Output (with fix): bind 172.24.4.71:443 ssl crt-list /var/lib/octavia/certs/c0d38597-d13b-4e39-a1aa-25cf67ededa3/6001b31a-f1f4-4a0c-81e5-19b61542caac.pem ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256 ciphersuites TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1,http/1.0 server 1a72edbf-d4d4-47b9-a2b2-15ffc114609d 10.0.0.43:80 weight 1 ssl verify none sni ssl_fc_sni ciphers ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_CCM_SHA256 ciphersuites TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1,http/1.0
Commands I used for reproducing the issue and verifying the fix:
LBNAME='lb-c2' "--tls- ciphers ECDHE-RSA- AES256- GCM-SHA384: TLS_CHACHA20_ POLY1305_ SHA256: TLS_AES_ 128_CCM_ SHA256 --tls-version TLSv1.2 --tls-version TLSv1.3" tls-container= $(openstack secret list | awk '/ tls_secret1 / {print $2}') $LBNAME
TLSOPTS=
openstack loadbalancer create --wait --vip-subnet-id public-subnet --name $LBNAME
openstack loadbalancer listener create --wait --name ls-c --protocol TERMINATED_HTTPS --protocol-port 443 ${TLSOPTS} --default-
openstack loadbalancer pool create --wait --listener ls-c --protocol HTTP --lb-algorithm ROUND_ROBIN --enable-tls ${TLSOPTS} --name pl-c
openstack loadbalancer member create pl-c --wait --address 10.0.0.43 --protocol-port 80 --name mem1-c
ssh -o StrictHostKeyCh ecking= no -i /etc/octavia/ .ssh/octavia_ ssh_key cloud-user@ $(openstack loadbalancer amphora list -f value -c lb_network_ip) sudo cat /var/lib/ octavia/ */haproxy. cfg | grep cipher
Output (with fix): octavia/ certs/c0d38597- d13b-4e39- a1aa-25cf67eded a3/6001b31a- f1f4-4a0c- 81e5-19b61542ca ac.pem ciphers ECDHE-RSA- AES256- GCM-SHA384: TLS_AES_ 128_CCM_ SHA256 ciphersuites TLS_AES_ 128_CCM_ SHA256: TLS_CHACHA20_ POLY1305_ SHA256 no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/ 1.1,http/ 1.0 d4d4-47b9- a2b2-15ffc11460 9d 10.0.0.43:80 weight 1 ssl verify none sni ssl_fc_sni ciphers ECDHE-RSA- AES256- GCM-SHA384: TLS_AES_ 128_CCM_ SHA256 ciphersuites TLS_AES_ 128_CCM_ SHA256: TLS_CHACHA20_ POLY1305_ SHA256 no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/ 1.1,http/ 1.0
bind 172.24.4.71:443 ssl crt-list /var/lib/
server 1a72edbf-