pixitha opened a new issue, #12382: URL: https://github.com/apache/trafficserver/issues/12382
We noticed when trying to set the TLS Groups config for the server, that it was not honoring client TLS Group/Curves and was instead forcing the client to use the server order. This comes back to openssl API, `SSL_OP_CIPHER_SERVER_PREFERENCE` which is what is set when you configure (Default) the [proxy.config.ssl.server.honor_cipher_order](https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.yaml.en.html#proxy-config-ssl-server-honor-cipher-order). I suggest that we update the docs here to reflect that it actually sets the server order for cipher suites **AND** tls groups/ec curves list **AND** signature algorithms Just a few weeks ago they changed the code and the docs for the upcoming OpenSSL 3.6 release: > Introduce SSL_OP_SERVER_PREFERENCE superceding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE. > > Michael Baentsch https://github.com/openssl/openssl/commit/51ce5499f9bd1f12cf08f511faaf163b0c4448bb This appears to be to help clear up confusion around this exact issue, since openssl only supports the server order list for ALL settings, not just the cipher suites. For ATSv11, it might be worth changing the actual name of the config option in ATS records to reflect that, but that is a larger change. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@trafficserver.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
