From e2a44d6c94b08d1bdf6294706c3b64267a13c86f Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Thu, 29 Feb 2024 18:04:12 +0100
Subject: [PATCH] DOC: configuration: clarify ciphersuites usage

Ciphersuites can be used with any TLS/SSL protocol version and are not
specific to TLSv1.3. However you can only specify the TLSv1.3 ciphers in
ciphersuite format.

Should fix issue #2459.

Backport to every stable branches.
---
 doc/configuration.txt | 47 ++++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 23 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 670f0a06d9..2f1b4d859c 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2296,13 +2296,13 @@ ssl-default-bind-ciphers <ciphers>
 ssl-default-bind-ciphersuites <ciphersuites>
   This setting is only available when support for OpenSSL was built in and
   OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
-  describing the list of cipher algorithms ("cipher suite") that are negotiated
-  during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
-  theirs. The format of the string is defined in
-  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
-  cipher configuration for TLSv1.2 and earlier, please check the
-  "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
-  information.
+  describing the list of cipher algorithms in "cipher suite" format that are
+  negotiated during the TLS handshake for all "bind" lines which do not
+  explicitly define theirs. The format of the string is defined in "man 1
+  ciphers" from OpenSSL man pages under the section "ciphersuites". For cipher
+  configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
+  please check the "ssl-default-bind-ciphers" keyword. Please check the "bind"
+  keyword for more information.
 
 ssl-default-bind-client-sigalgs <sigalgs>
   This setting is only available when support for OpenSSL was built in. It sets
@@ -2366,14 +2366,14 @@ ssl-default-server-ciphers <ciphers>
 
 ssl-default-server-ciphersuites <ciphersuites>
   This setting is only available when support for OpenSSL was built in and
-  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
-  string describing the list of cipher algorithms that are negotiated during
-  the TLSv1.3 handshake with the server, for all "server" lines which do not
-  explicitly define theirs. The format of the string is defined in
+  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
+  describing the list of cipher algorithms in "cipher suite" format that are
+  negotiated during the TLS handshake with the server, for all "server" lines
+  which do not explicitly define theirs. The format of the string is defined in
   "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
-  cipher configuration for TLSv1.2 and earlier, please check the
-  "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
-  more information.
+  cipher configuration for TLSv1.2 and earlier using the "OpenSSL" cipher
+  format, please check the "ssl-default-server-ciphers" keyword. Please check the
+  "server" keyword for more information.
 
 ssl-default-server-client-sigalgs <sigalgs>
   This setting is only available when support for OpenSSL was built in. It sets
@@ -15507,10 +15507,11 @@ ciphers <ciphers>
 ciphersuites <ciphersuites>
   This setting is only available when support for OpenSSL was built in and
   OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
-  the list of cipher algorithms ("cipher suite") that are negotiated during the
-  TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
-  OpenSSL man pages under the "ciphersuites" section. For cipher configuration
-  for TLSv1.2 and earlier, please check the "ciphers" keyword.
+  the list of cipher algorithms in "cipher suite" format that are negotiated
+  during the TLS handshake. The format of the string is defined in "man 1
+  ciphers" from OpenSSL man pages under the "ciphersuites" section. For cipher
+  configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
+  please check the "ciphers" keyword.
 
 client-sigalgs <sigalgs>
   This setting is only available when support for OpenSSL was built in. It sets
@@ -16649,11 +16650,11 @@ ciphersuites <ciphersuites>
 
   This setting is only available when support for OpenSSL was built in and
   OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
-  describing the list of cipher algorithms that is negotiated during the TLS
-  1.3 handshake with the server. The format of the string is defined in
-  "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
-  For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
-  keyword.
+  describing the list of cipher algorithms in "cipher suite" format that is
+  negotiated during the TLS handshake with the server. The format of the string
+  is defined in "man 1 ciphers" from OpenSSL man pages under the "ciphersuites"
+  section. For cipher configuration for TLSv1.2 and earlier using the "OpenSSL"
+  cipher format, please check the "ciphers" keyword.
 
 client-sigalgs <sigalgs>
   May be used in the following contexts: tcp, http, log, peers, ring