DOC: configuration: clarify ciphersuites usage

Ciphersuites can be used with any TLS/SSL protocol version and are not specific to TLSv1.3. However you can only specify the TLSv1.3 ciphers in ciphersuite format. Should fix issue #2459. Backport to every stable branches.
2024-02-29 18:04:12 +01:00 · 2024-02-29 18:04:12 +01:00 · e2a44d6c94
parent 69f15b9a40
commit e2a44d6c94
1 changed files with 24 additions and 23 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -2296,13 +2296,13 @@ ssl-default-bind-ciphers <ciphers>
 ssl-default-bind-ciphersuites <ciphersuites>
  This setting is only available when support for OpenSSL was built in and
  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
-  describing the list of cipher algorithms ("cipher suite") that are negotiated
+  describing the list of cipher algorithms in "cipher suite" format that are
-  during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
+  negotiated during the TLS handshake for all "bind" lines which do not
-  theirs. The format of the string is defined in
+  explicitly define theirs. The format of the string is defined in "man 1
-  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
+  ciphers" from OpenSSL man pages under the section "ciphersuites". For cipher
-  cipher configuration for TLSv1.2 and earlier, please check the
+  configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
-  "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
+  please check the "ssl-default-bind-ciphers" keyword. Please check the "bind"
-  information.
+  keyword for more information.
 ssl-default-bind-client-sigalgs <sigalgs>
  This setting is only available when support for OpenSSL was built in. It sets
@ -2366,14 +2366,14 @@ ssl-default-server-ciphers <ciphers>
 ssl-default-server-ciphersuites <ciphersuites>
  This setting is only available when support for OpenSSL was built in and
-  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
+  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
-  string describing the list of cipher algorithms that are negotiated during
+  describing the list of cipher algorithms in "cipher suite" format that are
-  the TLSv1.3 handshake with the server, for all "server" lines which do not
+  negotiated during the TLS handshake with the server, for all "server" lines
-  explicitly define theirs. The format of the string is defined in
+  which do not explicitly define theirs. The format of the string is defined in
  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
-  cipher configuration for TLSv1.2 and earlier, please check the
+  cipher configuration for TLSv1.2 and earlier using the "OpenSSL" cipher
-  "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
+  format, please check the "ssl-default-server-ciphers" keyword. Please check the
-  more information.
+  "server" keyword for more information.
 ssl-default-server-client-sigalgs <sigalgs>
  This setting is only available when support for OpenSSL was built in. It sets
@ -15507,10 +15507,11 @@ ciphers <ciphers>
 ciphersuites <ciphersuites>
  This setting is only available when support for OpenSSL was built in and
  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
-  the list of cipher algorithms ("cipher suite") that are negotiated during the
+  the list of cipher algorithms in "cipher suite" format that are negotiated
-  TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
+  during the TLS handshake. The format of the string is defined in "man 1
-  OpenSSL man pages under the "ciphersuites" section. For cipher configuration
+  ciphers" from OpenSSL man pages under the "ciphersuites" section. For cipher
-  for TLSv1.2 and earlier, please check the "ciphers" keyword.
+  configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
  please check the "ciphers" keyword.
 client-sigalgs <sigalgs>
  This setting is only available when support for OpenSSL was built in. It sets
@ -16649,11 +16650,11 @@ ciphersuites <ciphersuites>
  This setting is only available when support for OpenSSL was built in and
  OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
-  describing the list of cipher algorithms that is negotiated during the TLS
+  describing the list of cipher algorithms in "cipher suite" format that is
-  1.3 handshake with the server. The format of the string is defined in
+  negotiated during the TLS handshake with the server. The format of the string
-  "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
+  is defined in "man 1 ciphers" from OpenSSL man pages under the "ciphersuites"
-  For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
+  section. For cipher configuration for TLSv1.2 and earlier using the "OpenSSL"
-  keyword.
+  cipher format, please check the "ciphers" keyword.
 client-sigalgs <sigalgs>
  May be used in the following contexts: tcp, http, log, peers, ring