RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-05 02:49:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
53ae85c38e
haproxy/doc
History
Lukas Tribus 53ae85c38e MINOR: ssl: add prefer-client-ciphers 
Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1],
which may not always be a good thing.

The benefit of server side cipher prioritization may not apply to all
cases out there, and it appears that the various SSL libs are going away
from this recommendation ([2], [3]), as insecure ciphers suites are
properly blacklisted/removed and honoring the client's preference is
more likely to improve user experience  (for example using SW-friendly
ciphers on devices without HW AES support).

This is especially true for TLSv1.3, which will restrict the cipher
suites to just AES-GCM and Chacha20/Poly1305.

Apache [4], nginx [5] and others give admins full flexibility, we should
as well.

The initial proposal to change the current default and add a
"prefer-server-ciphers" option (as implemented in e566ecb) has been
declined due to the possible security impact.

This patch implements prefer-client-ciphers without changing the defaults.

[1] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
[2] https://github.com/openssl/openssl/issues/541
[3] https://github.com/libressl-portable/portable/issues/66
[4] https://httpd.apache.org/docs/2.0/en/mod/mod_ssl.html#sslhonorcipherorder
[5] https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
2017-05-12 15:49:04 +02:00
..
design-thoughts MAJOR: tproxy: remove support for cttproxy 2015-08-20 19:35:14 +02:00
internals [RELEASE] Released version 1.8-dev1 2017-04-03 09:27:49 +02:00
lua-api BUG/MINOR: lua: Map.end are not reliable because "end" is a reserved keyword 2017-01-30 20:29:10 +01:00
51Degrees-device-detection.txt DOC: move the device detection modules documentation to their own files 2016-11-08 15:06:21 +01:00
acl.fig
architecture.txt DOC: fix "workaround" spelling 2016-01-15 10:27:09 +01:00
close-options.txt [DOC] add a few old and uncommitted docs 2011-09-05 01:04:44 +02:00
coding-style.txt DOC: update coding-style to reference checkpatch.pl 2015-09-21 16:45:45 +02:00
configuration.txt MINOR: ssl: add prefer-client-ciphers 2017-05-12 15:49:04 +02:00
cookie-options.txt [DOC] add a few old and uncommitted docs 2011-09-05 01:04:44 +02:00
DeviceAtlas-device-detection.txt DOC: move the device detection modules documentation to their own files 2016-11-08 15:06:21 +01:00
gpl.txt
haproxy.1 MINOR: doc: document the -x flag 2017-04-13 19:15:17 +02:00
intro.txt [RELEASE] Released version 1.8-dev0 2016-11-25 16:58:52 +01:00
lgpl.txt
linux-syn-cookies.txt DOC: add doc/linux-syn-cookies.txt 2015-08-11 12:17:41 +02:00
lua.txt DOC: LUA: fix some typos and syntax errors 2016-02-16 11:07:45 +01:00
management.txt MINOR: server: cli: Add server FQDNs to server-state file and stats socket. 2017-05-03 06:58:53 +02:00
netscaler-client-ip-insertion-protocol.txt MINOR: listener: add the "accept-netscaler-cip" option to the "bind" keyword 2016-06-20 23:02:47 +02:00
network-namespaces.txt MAJOR: namespace: add Linux network namespace support 2014-11-21 07:51:57 +01:00
proxy-protocol.txt DOC: mention lighttpd 1.4.46 implements PROXY 2017-04-05 08:42:39 +02:00
queuing.fig
SPOE.txt DOC: spoe: Update SPOE documentation to reflect recent changes 2017-03-09 15:32:56 +01:00
WURFL-device-detection.txt DOC: move the device detection modules documentation to their own files 2016-11-08 15:06:21 +01:00