DOC: configuration: clarify ciphersuites usage

Ciphersuites can be used with any TLS/SSL protocol version and are not
specific to TLSv1.3. However you can only specify the TLSv1.3 ciphers in
ciphersuite format.

Should fix issue #2459.

Backport to every stable branches.
This commit is contained in:
William Lallemand 2024-02-29 18:04:12 +01:00
parent 69f15b9a40
commit e2a44d6c94

View File

@ -2296,13 +2296,13 @@ ssl-default-bind-ciphers <ciphers>
ssl-default-bind-ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
describing the list of cipher algorithms ("cipher suite") that are negotiated
during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
theirs. The format of the string is defined in
"man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
cipher configuration for TLSv1.2 and earlier, please check the
"ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
information.
describing the list of cipher algorithms in "cipher suite" format that are
negotiated during the TLS handshake for all "bind" lines which do not
explicitly define theirs. The format of the string is defined in "man 1
ciphers" from OpenSSL man pages under the section "ciphersuites". For cipher
configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
please check the "ssl-default-bind-ciphers" keyword. Please check the "bind"
keyword for more information.
ssl-default-bind-client-sigalgs <sigalgs>
This setting is only available when support for OpenSSL was built in. It sets
@ -2366,14 +2366,14 @@ ssl-default-server-ciphers <ciphers>
ssl-default-server-ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
string describing the list of cipher algorithms that are negotiated during
the TLSv1.3 handshake with the server, for all "server" lines which do not
explicitly define theirs. The format of the string is defined in
OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
describing the list of cipher algorithms in "cipher suite" format that are
negotiated during the TLS handshake with the server, for all "server" lines
which do not explicitly define theirs. The format of the string is defined in
"man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
cipher configuration for TLSv1.2 and earlier, please check the
"ssl-default-server-ciphers" keyword. Please check the "server" keyword for
more information.
cipher configuration for TLSv1.2 and earlier using the "OpenSSL" cipher
format, please check the "ssl-default-server-ciphers" keyword. Please check the
"server" keyword for more information.
ssl-default-server-client-sigalgs <sigalgs>
This setting is only available when support for OpenSSL was built in. It sets
@ -15507,10 +15507,11 @@ ciphers <ciphers>
ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
the list of cipher algorithms ("cipher suite") that are negotiated during the
TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
OpenSSL man pages under the "ciphersuites" section. For cipher configuration
for TLSv1.2 and earlier, please check the "ciphers" keyword.
the list of cipher algorithms in "cipher suite" format that are negotiated
during the TLS handshake. The format of the string is defined in "man 1
ciphers" from OpenSSL man pages under the "ciphersuites" section. For cipher
configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
please check the "ciphers" keyword.
client-sigalgs <sigalgs>
This setting is only available when support for OpenSSL was built in. It sets
@ -16649,11 +16650,11 @@ ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
describing the list of cipher algorithms that is negotiated during the TLS
1.3 handshake with the server. The format of the string is defined in
"man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
keyword.
describing the list of cipher algorithms in "cipher suite" format that is
negotiated during the TLS handshake with the server. The format of the string
is defined in "man 1 ciphers" from OpenSSL man pages under the "ciphersuites"
section. For cipher configuration for TLSv1.2 and earlier using the "OpenSSL"
cipher format, please check the "ciphers" keyword.
client-sigalgs <sigalgs>
May be used in the following contexts: tcp, http, log, peers, ring