I think he wants to globally disable SSLv3 (by removing support at compile time) so it can't be accidentally enabled in an errant bind option. There's no way to disable SSLv3 globally in the haproxy config.
-Bryan On Wed, Oct 29, 2014 at 12:24 PM, Lukas Tribus <[email protected]> wrote: > Previous mail was somehow messed up, here is my proper response: > > > is there any sensible reason that value of ssloptions is hardcoded > > instead of passed with config (ie. similiary to > > ssl-default-bind-ciphers)? > > > > i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future > > it may be likely to add some other options to avoid openssl bugs in > > production... > > I'm not sure I understand what you mean. > > You can disable SSLv3 among other things just fine in haproxy 1.5: > > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#no-sslv3%20%28Bind%20options%29 > > > Lukas > > >
