Hi Willy, > Le 27 mars 2017 à 17:54, Willy Tarreau <[email protected]> a écrit : > > Hi Manu, > > On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote: >>> I'm not much comfortable with the "sslv3" and so on as they easily read >>> as "use sslv3 only" (for me at least) but we can get rid of them once we >>> have everything needed with min-tls/max-tls, and if some users want to >>> keep them anyway then we can complete the doc to mention explicitly what >>> they do (ie: stop disabling support for sslv3). So that's no big deal. >>> >> >> If I understand the needs, parameters is to reset settings from default >> server. > > Absolutely. The typical use case would be a defaults section setting the > default > server with "no-sslv3 no-tlsv10 no-tlsv11" but one local server requires to > run > with one such versions, and just for this we don't want to cancel the > convenient > default-server settings, so having a statement to say "go back to defaults for > this one" is better. > >> For ssl we could have 'ssl-all' and avoid any 'no, 'no-no' tls version ? > > Maybe something like this. But I *tend* to think that once we have your > min-tls/max-tls it could be a no-brainer. Emeric told me he thinkgs that > it's probably bad to make an exception for certain keywords (and I tend > to share his opinion on this one), so maybe over the long term we'll still > have them with proper doc and possibly warnings suggesting a different > syntax. After all, saying "I don't want to disable SSLv3 for this server" > tends to imply you explicitly know you want it, so the value of having > these confusing keywords might possibly be only to ensure users naturally > find the keyword they're looking for without having to think too long. >
with: force-tlv == min-tlv + max-tlv no-tlv => obsolete (and no need (no-no) tlv) default min-tlv and max-tlv can be overwrite on local definition. So min-tlv, max-tlv (and force-tlv) could be the only useful parameters: tlv and no-tlv can be removed from default server parameters. A no-tlv définition on server (compat) can work or generate warning if ‘hole’ is detected. ++ Manu
