On Wed, Oct 29, 2014 at 08:24:31PM +0100, Lukas Tribus wrote: > Previous mail was somehow messed up, here is my proper response: > > > is there any sensible reason that value of ssloptions is hardcoded > > instead of passed with config (ie. similiary to > > ssl-default-bind-ciphers)? > > > > i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future > > it may be likely to add some other options to avoid openssl bugs in > > production... > > I'm not sure I understand what you mean. > > You can disable SSLv3 among other things just fine in haproxy 1.5: > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#no-sslv3%20%28Bind%20options%29
sorry, for not being clear. i'd like this: src/ssl_sock.c: 1469 long ssloptions = 1470 SSL_OP_ALL | /* all known workarounds for bugs */ 1471 SSL_OP_NO_SSLv2 | 1472 SSL_OP_NO_COMPRESSION | 1473 SSL_OP_SINGLE_DH_USE | 1474 SSL_OP_SINGLE_ECDH_USE | 1475 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | 1476 SSL_OP_CIPHER_SERVER_PREFERENCE; to be configurable. main reasoning: "all known workarounds for bugs" as of compile time might change in future (as new openssl bugs are being uncovered). and concerning SSL_OP_NO_SSLv3 versus disabling on protocol level - from what ssllabs handshake simulation is giving me, i think this option also disables DH <= 1024 bits kex. -- konrad rzentarzewski -- System Administrator, Efigence S.A. Office: +48.223801313 Off-hours: +48.222961020 EFI42-RIPE
