[Patches] TLS methods configuration reworked

Wed, 22 Mar 2017 08:32:02 -0700 

Hi Emeric,

Patches is a rework of TLS methods configuration.
Goal is to abstract haproxy TLS methods configuration and openssl configuration 
requirements (versions dependant)
This will make it easier to update and make the configuration less ambiguous.
0001 unify no-tlsxx force-tlsxx with bit flags, configure openssl with set 
options (version agnostic)
0002 add min-tlsxx max-tlsxx and TLSv1.3 initial support
        SSL negotiation requires contiguous TLS versions. openssl 1.1.0 API add 
min/max call for that.
        min/max is also a more suitable parameter to keep configuration 
consistent across haproxy/openssl versions.
        Note: min/max should replace no-tlsxx usage (and can replace 
force-tlsxx usage)
0003 Warning when all TLS methods are disabled
0004 improve haproxy -vvv with TLS methods
0005 force-tlsxx implementation compatibility (Emeric first point)

For the second point 
> But we will face issue using 'force-' when openssl will support further tls 
> versions not yet handled by haproxy. This problem was correctly handled by 
> the previous implementation.

I can provide a patch for that but it will not useful for years until a new TLS 
will be implemented. It can generate build breaks until this time.
. all TLS methods are known in haproxy (set_options usage is safe)
. Haproxy must be run with the same version as the compilation. Change the 
openssl version (other than for bug fix) is not supported.

> Le 20 mars 2017 à 19:07, Emmanuel Hocdet <[email protected]> a écrit :
> 
> Yes, i understood.
> I prefer the abstraction on the flagging versions. It's more simpler to add 
> min-xx max-xx: the configuration is more consistent than no-xxx (and avoid 
> 'holes').
> Requirements to not change old implementations of force-xx and fix the max 
> version can be addressed with my patches. I have one that happens.

patches up to date:

++
Manu

Attachment: 0001-MEDIUM-ssl-rework-of-ssl_methods-calculation-to-matc.patch
Description: Binary data

Attachment: 0002-MEDIUM-ssl-add-TLSv1.3-directives-and-min-method-max.patch
Description: Binary data

Attachment: 0003-MINOR-ssl-warm-when-all-SSL-TLS-versions-are-disable.patch
Description: Binary data

Attachment: 0004-MINOR-ssl-show-methods-supported-by-openssl.patch
Description: Binary data

Attachment: 0005-MINOR-ssl-keep-force-tlsxx-implementation-as-it-is-i.patch
Description: Binary data

Reply via email to