RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-04 02:19:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
1d6338ea96
haproxy/reg-tests/ssl
History
Remi Tricot-Le Breton 1d6338ea96 MEDIUM: ssl: Disable DHE ciphers by default 
DHE ciphers do not present a security risk if the key is big enough but
they are slow and mostly obsoleted by ECDHE. This patch removes any
default DH parameters. This will effectively disable all DHE ciphers
unless a global ssl-dh-param-file is defined, or
tune.ssl.default-dh-param is set, or a frontend has DH parameters
included in its PEM certificate. In this latter case, only the frontends
that have DH parameters will have DHE ciphers enabled.
Adding explicitely a DHE ciphers in a "bind" line will not be enough to
actually enable DHE. We would still need to know which DH parameters to
use so one of the three conditions described above must be met.

This request was described in GitHub issue #1604.
2022-04-20 17:30:55 +02:00
..
generate_certificates REGTESTS: ssl: Add test for "generate-certificates" SSL option 2022-02-09 12:10:32 +01:00
add_ssl_crt-list.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
ca-auth.crt
cert1-example.com.pem.ecdsa
cert1-example.com.pem.rsa
cert2-example.com.pem.ecdsa
cert2-example.com.pem.rsa
client1.pem
client2_expired.pem
client3_revoked.pem
client.ecdsa.pem REGTESTS: ssl: Add test for "curves" and "ecdhe" SSL options 2022-02-09 11:15:44 +01:00
common.4096.dh REGTESTS: ssl: Add tests for DH related options 2022-02-14 10:07:14 +01:00
common.crt
common.key
common.pem
crl-auth.pem
del_ssl_crt-list.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
dynamic_server_ssl.vtc MEDIUM: server: remove experimental-mode for dynamic servers 2022-03-11 14:28:28 +01:00
ecdsa.crt
ecdsa.key
ecdsa.pem
filters.crt-list
interCA1_crl_empty.pem
interCA1_crl.pem
interCA2_crl_empty.pem
interCA2_crl.pem
localhost.crt-list
new_del_ssl_cafile.vtc REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check 2021-12-10 16:16:02 +01:00
new_del_ssl_crlfile.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
README
rootCA_crl.pem
set_cafile_client.pem
set_cafile_interCA1.crt
set_cafile_interCA2.crt
set_cafile_rootCA.crt
set_cafile_server.pem
set_default_cert.crt-list
set_default_cert.pem
set_ssl_cafile.vtc REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check 2021-12-10 16:16:02 +01:00
set_ssl_cert_bundle.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
set_ssl_cert_noext.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
set_ssl_cert.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
set_ssl_crlfile.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
set_ssl_server_cert.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
show_ocsp_server.pem
show_ocsp_server.pem.issuer
show_ocsp_server.pem.ocsp
show_ocsp_server.pem.ocsp.revoked
show_ssl_ocspresponse.vtc REGTESTS: ssl: skip show_ssl_ocspresponse.vtc when BoringSSL is used 2022-02-02 17:48:02 +01:00
simple.crt-list
ssl_client_auth.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
ssl_client_samples.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
ssl_crt-list_filters.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
ssl_curves.vtc REGTESTS: ssl: Add test for "curves" and "ecdhe" SSL options 2022-02-09 11:15:44 +01:00
ssl_default_server.vtc REGTESTS: ssl: fix ssl_default_server.vtc 2021-12-29 18:20:19 +01:00
ssl_dh.vtc MEDIUM: ssl: Disable DHE ciphers by default 2022-04-20 17:30:55 +02:00
ssl_errors.vtc REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2 2022-01-11 20:02:37 +01:00
ssl_frontend_samples.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
ssl_generate_certificate.vtc REGTESTS: ssl: Add test for "generate-certificates" SSL option 2022-02-09 12:10:32 +01:00
ssl_reuse.vtc REGTESTS: ssl: test the TLS resumption 2021-11-19 04:07:07 +01:00
ssl_server_samples.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
ssl_simple_crt-list.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
wrong_ctx_storage.vtc

README 

File list:
 - common.pem: PEM file which may be used by most of the VTC files.