Hi guys,
On Mon, Feb 04, 2019 at 10:13:11PM +0100, Lukas Tribus wrote:
> > Since TLS ciphers are not well understand, it is very common parameters
> > from documentation are used as is. Since RC4 should not be used anymore
> > I believe it is wiser to show example including stronger ciphers to
> > avoid deploying unsafe configuration in the wild.
> >
> > "ALL" is also to avoid since it contains a lot of deprecated,
> > insecure ciphers, and garbage that are not applicable in haproxy
> > context.
>
> Frankly I would rather remove those altogether and maybe link to
> somewhere else, like the Mozilla TLS recommendations:
> https://wiki.mozilla.org/Security/Server_Side_TLS
>
> No one checks for documentation updates in stable releases, unless
> it's for a new feature, so I'd be inclined to say backporting doc
> fixes regarding security relevant stuff does not really work.
I agree, we've been caught several times shipping old warnings like
"threads are experimental" or "haproxy doesn't cache" or stuff like
this. It's terribly difficult to maintain isolated doc parts and even
harder to keep them up to date in stable versions. Thus probably we
should instead propose the link to Mozilla's Wiki above as well as
the link to their config generator which is trivial to use :
https://mozilla.github.io/server-side-tls/ssl-config-generator/
It even explains how to use HSTS by default. What do you think Bertrand ?
Willy
