Hi Manu, On 03/16/2017 02:44 PM, Emeric Brun wrote: > On 03/15/2017 07:06 PM, Willy Tarreau wrote: >> Hi Manu, >> >> On Wed, Mar 15, 2017 at 07:00:28PM +0100, Emmanuel Hocdet wrote: >>>> ssl_options seems still valid, all directives can be mapped to it and keep >>>> compatibility. >>>> >>> >>> Patch proposal: >> >> Maybe it could work, let's wait for Emeric's feedback. I remember there >> was a subtle difference between no-<version> and force-<version> but I >> don't remember which one. >> >> Thanks, >> Willy >> > > > I'm clearly not sure that setting openssl's options to ~no-tlsxx have the > same behavior than forcing the callback sets (using force-) to one protocol. > > I always suspected that no-tlsxx options applies on a kind of 'capabilities' > where as setting a callback-set clearly force the usage of a protocol version. > > So for me the patch could modify some behavior for openssl versions < 1.1 > > There is another point which worries me: > > In the proposed patch, statement 'force-' will disable all known protocol > version except that one. > > But we will face issue using 'force-' when openssl will support further tls > versions not yet handled by haproxy. This problem was correctly handled by > the previous implementation. > > R, > Emeric >
Finally, To avoid side effects as explained below, i think it would be better to use SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version, setting min = max to forced version using 'force-' statements.
