On 03/15/2017 07:06 PM, Willy Tarreau wrote: > Hi Manu, > > On Wed, Mar 15, 2017 at 07:00:28PM +0100, Emmanuel Hocdet wrote: >>> ssl_options seems still valid, all directives can be mapped to it and keep >>> compatibility. >>> >> >> Patch proposal: > > Maybe it could work, let's wait for Emeric's feedback. I remember there > was a subtle difference between no-<version> and force-<version> but I > don't remember which one. > > Thanks, > Willy >
I'm clearly not sure that setting openssl's options to ~no-tlsxx have the same behavior than forcing the callback sets (using force-) to one protocol. I always suspected that no-tlsxx options applies on a kind of 'capabilities' where as setting a callback-set clearly force the usage of a protocol version. So for me the patch could modify some behavior for openssl versions < 1.1 There is another point which worries me: In the proposed patch, statement 'force-' will disable all known protocol version except that one. But we will face issue using 'force-' when openssl will support further tls versions not yet handled by haproxy. This problem was correctly handled by the previous implementation. R, Emeric