DOC: ssl: Stop documenting ciphers example to use

Since TLS ciphers are not well understand, it is very common pratice to copy and paste parameters from documentation and use them as-is. Since RC4 should not be used anymore, it is wiser to link users to up to date documnetation from Mozilla to avoid unsafe configuration in the wild. Clarify the location of man pages for OpenSSL when missing.
2025-02-26 07:30:34 +00:00 · 2019-02-03 18:48:49 +00:00 · 2019-02-03 18:48:49 +00:00 · 4f03ab06a9
commit 4f03ab06a9
parent 8cf7c1eb61
1 changed files with 31 additions and 31 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1029,10 +1029,12 @@ ssl-default-bind-ciphers <ciphers>
  the default string describing the list of cipher algorithms ("cipher suite")
  that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
  "bind" lines which do not explicitly define theirs. The format of the string
-  is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
+  is defined in "man 1 ciphers" from OpenSSL man pages. For background
-  a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
+  information and recommendations see e.g.
-  TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites"
+  (https://wiki.mozilla.org/Security/Server_Side_TLS) and
-  keyword. Please check the "bind" keyword for more information.
+  (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
  cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
  Please check the "bind" keyword for more information.
 ssl-default-bind-ciphersuites <ciphersuites>
  This setting is only available when support for OpenSSL was built in and
@ -1040,11 +1042,9 @@ ssl-default-bind-ciphersuites <ciphersuites>
  describing the list of cipher algorithms ("cipher suite") that are negotiated
  during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
  theirs. The format of the string is defined in
-  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can
+  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
-  be for instance a string such as
+  cipher configuration for TLSv1.2 and earlier, please check the
-  "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+  "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
  (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
  the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
  information.
 ssl-default-bind-options [<option>]...
@ -1061,9 +1061,13 @@ ssl-default-server-ciphers <ciphers>
  sets the default string describing the list of cipher algorithms that are
  negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
  for all "server" lines which do not explicitly define theirs. The format of
-  the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration,
+  the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
-  please check the "ssl-default-server-ciphersuites" keyword. Please check the
+  information and recommendations see e.g.
-  "server" keyword for more information.
+  (https://wiki.mozilla.org/Security/Server_Side_TLS) and
  (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
  For TLSv1.3 cipher configuration, please check the
  "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
  for more information.
 ssl-default-server-ciphersuites <ciphersuites>
  This setting is only available when support for OpenSSL was built in and
@ -1071,9 +1075,10 @@ ssl-default-server-ciphersuites <ciphersuites>
  string describing the list of cipher algorithms that are negotiated during
  the TLSv1.3 handshake with the server, for all "server" lines which do not
  explicitly define theirs. The format of the string is defined in
-  "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for
+  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
-  TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword.
+  cipher configuration for TLSv1.2 and earlier, please check the
-  Please check the "server" keyword for more information.
+  "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
  more information.
 ssl-default-server-options [<option>]...
  This setting is only available when support for OpenSSL was built in. It sets
@ -10894,10 +10899,7 @@ ciphers <ciphers>
  This setting is only available when support for OpenSSL was built in. It sets
  the string describing the list of cipher algorithms ("cipher suite") that are
  negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
-  string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
+  string is defined in "man 1 ciphers" from OpenSSL man pages. For background
  instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
  quotes). Depending on the compatibility and security requirements, the list
  of suitable ciphers depends on a variety of variables. For background
  information and recommendations see e.g.
  (https://wiki.mozilla.org/Security/Server_Side_TLS) and
  (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
@ -10908,11 +10910,8 @@ ciphersuites <ciphersuites>
  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
  the list of cipher algorithms ("cipher suite") that are negotiated during the
  TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
-  OpenSSL man pages under the "ciphersuites" section, and can be for instance a
+  OpenSSL man pages under the "ciphersuites" section. For cipher configuration
-  string such as
+  for TLSv1.2 and earlier, please check the "ciphers" keyword.
  "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
  (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
  the "ciphers" keyword.
 crl-file <crlfile>
  This setting is only available when support for OpenSSL was built in. It
@ -11661,19 +11660,20 @@ ciphers <ciphers>
  This setting is only available when support for OpenSSL was built in. This
  option sets the string describing the list of cipher algorithms that is
  negotiated during the SSL/TLS handshake with the server. The format of the
-  string is defined in "man 1 ciphers". When SSL is used to communicate with
+  string is defined in "man 1 ciphers" from OpenSSL man pages. For background
-  servers on the local network, it is common to see a weaker set of algorithms
+  information and recommendations see e.g.
-  than what is used over the internet. Doing so reduces CPU usage on both the
+  (https://wiki.mozilla.org/Security/Server_Side_TLS) and
-  server and haproxy while still keeping it compatible with deployed software.
+  (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
-  Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
+  cipher configuration, please check the "ciphersuites" keyword.
  is needed and just connectivity, using DES can be appropriate.
 ciphersuites <ciphersuites>
  This setting is only available when support for OpenSSL was built in and
  OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
  describing the list of cipher algorithms that is negotiated during the TLS
  1.3 handshake with the server. The format of the string is defined in
-  "man 1 ciphers" under the "ciphersuites" section.
+  "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
  For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
  keyword.
 cookie <value>
  The "cookie" parameter sets the cookie value assigned to the server to