Hello,
On Mon, 4 Feb 2019 at 20:48, Bertrand Jacquin <bertr...@jacquin.bzh> wrote: > > Since TLS ciphers are not well understand, it is very common parameters > from documentation are used as is. Since RC4 should not be used anymore > I believe it is wiser to show example including stronger ciphers to > avoid deploying unsafe configuration in the wild. > > "ALL" is also to avoid since it contains a lot of deprecated, > insecure ciphers, and garbage that are not applicable in haproxy > context. Frankly I would rather remove those altogether and maybe link to somewhere else, like the Mozilla TLS recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS No one checks for documentation updates in stable releases, unless it's for a new feature, so I'd be inclined to say backporting doc fixes regarding security relevant stuff does not really work. OpenSSL does not ship recommendations (they just change their defaults), so we should probably not do that either. just my two cents ... lukas
