Hi Manu, On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote: > > I'm not much comfortable with the "sslv3" and so on as they easily read > > as "use sslv3 only" (for me at least) but we can get rid of them once we > > have everything needed with min-tls/max-tls, and if some users want to > > keep them anyway then we can complete the doc to mention explicitly what > > they do (ie: stop disabling support for sslv3). So that's no big deal. > > > > If I understand the needs, parameters is to reset settings from default > server.
Absolutely. The typical use case would be a defaults section setting the default server with "no-sslv3 no-tlsv10 no-tlsv11" but one local server requires to run with one such versions, and just for this we don't want to cancel the convenient default-server settings, so having a statement to say "go back to defaults for this one" is better. > For ssl we could have 'ssl-all' and avoid any 'no, 'no-no' tls version ? Maybe something like this. But I *tend* to think that once we have your min-tls/max-tls it could be a no-brainer. Emeric told me he thinkgs that it's probably bad to make an exception for certain keywords (and I tend to share his opinion on this one), so maybe over the long term we'll still have them with proper doc and possibly warnings suggesting a different syntax. After all, saying "I don't want to disable SSLv3 for this server" tends to imply you explicitly know you want it, so the value of having these confusing keywords might possibly be only to ensure users naturally find the keyword they're looking for without having to think too long. cheers, Willy
