Hi,
>> You can disable SSLv3 among other things just fine in haproxy 1.5: >> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#no-sslv3%20%28Bind%20options%29 > > sorry, for not being clear. > i'd like this: > > src/ssl_sock.c: > 1469 long ssloptions = > 1470 SSL_OP_ALL | /* all known workarounds for bugs */ > 1471 SSL_OP_NO_SSLv2 | > 1472 SSL_OP_NO_COMPRESSION | > 1473 SSL_OP_SINGLE_DH_USE | > 1474 SSL_OP_SINGLE_ECDH_USE | > 1475 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | > 1476 SSL_OP_CIPHER_SERVER_PREFERENCE; > > to be configurable. > > main reasoning: "all known workarounds for bugs" as of compile time > might change in future (as new openssl bugs are being uncovered). I still don't get it. These are not openssl bugs, but workarounds in openssl for bugs in other ssl libraries or applications. Lets assume newer openssl releases introduce a new workaround. SSL_OP_ALL will enable that workaround, so we should be good. SSL_OP_ALL is a safe setting that the application is supposed to set. I strongly disagree that we should make every single OpenSSL option configurable, this will just mess-up documentation and configuration and will more often than not be miss-configured by the users. I don't think any application lets you configure single openssl workarounds or can you name one? > and concerning SSL_OP_NO_SSLv3 versus disabling on protocol level Whats the difference between using SSL_OP_NO_SSLV3 and "disabling it on protocol level" exactly? > what ssllabs handshake simulation is giving me, i think this option also > disables DH <= 1024 bits kex. Which I assume is perfectly expected because by disabling SSLv3 you also disable ciphers unsupported in TLSv1. Regards, Lukas
