Today the default HAProxy configuration in the Amphora provider driver does not override the default cipher list. Operators and users may want to disable weak cipher suites, for example. Operators have the ability to override that list but that is not ideal since they have to provide a custom HAProxy template file where other options other than just cipher suites need to be also set.

• Add an ability to set default SSL ciphers in the Octavia configuration
• Add an ability to set cipher list for each listener
• Add the ability to set a cipher "blacklist" in the Octavia config that has disallowed ciphers
• Add the ability to set pool ciphers used when connecting to member servers
• Add an ability to set default SSL protocols in the Octavia configuration
• Add an ability to set protocol list for each listener
• Add the ability to set a protocol "blacklist" in the Octavia config that has disallowed ciphers
• Add the ability to set pool protocols used when connecting to member servers

https://storyboard.openstack.org/#!/story/2006627
https://storyboard.openstack.org/#!/story/2006733
https://review.opendev.org/#/q/%22Story:+2006627%22