Since TLS ciphers are not well understand, it is very common parameters
from documentation are used as is. Since RC4 should not be used anymore
I believe it is wiser to show example including stronger ciphers to
avoid deploying unsafe configuration in the wild.
"ALL" is also to avoid since it contains a lot of deprecated,
insecure ciphers, and garbage that are not applicable in haproxy
context.
---
doc/configuration.txt | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index f7e1339a3e9b..14951d662f97 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1030,7 +1030,7 @@ ssl-default-bind-ciphers <ciphers>
that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
"bind" lines which do not explicitly define theirs. The format of the string
is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
- a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
+ a string such as "ECDHE+AES:CHACHA20:!SHA1:@STRENGTH" (without quotes). For
TLSv1.3 cipher configuration, please check the
"ssl-default-bind-ciphersuites"
keyword. Please check the "bind" keyword for more information.
@@ -10895,7 +10895,7 @@ ciphers <ciphers>
the string describing the list of cipher algorithms ("cipher suite") that are
negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
- instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
+ instance a string such as "ECDHE+AES:CHACHA20:!SHA1:@STRENGTH" (without
quotes). Depending on the compatibility and security requirements, the list
of suitable ciphers depends on a variety of variables. For background
information and recommendations see e.g.
@@ -11665,8 +11665,8 @@ ciphers <ciphers>
servers on the local network, it is common to see a weaker set of algorithms
than what is used over the internet. Doing so reduces CPU usage on both the
server and haproxy while still keeping it compatible with deployed software.
- Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
- is needed and just connectivity, using DES can be appropriate.
+ Some algorithms such as ECDHE+CHACHA20 are reasonably cheap. If no security
+ at all is needed and just connectivity, using DES can be appropriate.
ciphersuites <ciphersuites>
This setting is only available when support for OpenSSL was built in and
