Hello,
> Hi Lukas, > > The response is in our link: > [2] https://github.com/openssl/openssl/issues/541 > > No need to disable this option per default and option is needed for security. The point is: when the admin is aware of TLS security, he can easily add a new config option on a major software upgrade, and we can even add this for example to the mozilla TLS config generator as well. But, if this is just a copy&paste from a 3 year old blog post, SSL_OP_CIPHER_SERVER_PREFERENCE actively harms security, as a browser will have a more uptodate cipher preference list then the server, but server preference will ignore it. The old RC4 preference instead of AES-CBC, for example: https://github.com/libressl-portable/portable/issues/66#issuecomment-183822438 > The equal-preference groups work with server preference. I tested it with > BoringSSL. I care primarily about vanilla OpenSSL, and in don't get a sense that there is an interest to implement this for TLSv1.2. What I want for haproxy is to be flexible enough to adress all cases, as is Apache and nginx. Thanks, Lukas
