On Wed, Oct 29, 2014 at 02:29:21PM -0700, Bryan Talbot wrote:
I think he wants to globally disable SSLv3 (by removing support at compile
time) so it can't be accidentally enabled in an errant bind option. There's
no way to disable SSLv3 globally in the haproxy config.
Then probably we should
On Wed, Oct 29, 2014 at 08:24:31PM +0100, Lukas Tribus wrote:
Previous mail was somehow messed up, here is my proper response:
is there any sensible reason that value of ssloptions is hardcoded
instead of passed with config (ie. similiary to
ssl-default-bind-ciphers)?
i'd like to add
Hi,
You can disable SSLv3 among other things just fine in haproxy 1.5:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#no-sslv3%20%28Bind%20options%29
sorry, for not being clear.
i'd like this:
src/ssl_sock.c:
1469 long ssloptions =
1470 SSL_OP_ALL | /* all known
main reasoning: all known workarounds for bugs as of compile time
might change in future (as new openssl bugs are being uncovered).
I still don't get it.
These are not openssl bugs, but workarounds in openssl for bugs in other
ssl libraries or applications.
not in all cases, some options
On 10/30/2014 04:19 PM, konrad rzentarzewski wrote:
On Thu, Oct 30, 2014 at 02:25:01PM +0100, Lukas Tribus wrote:
main reasoning: all known workarounds for bugs as of compile time
might change in future (as new openssl bugs are being uncovered).
I still don't get it.
These are not openssl
[ asymmetric hello ]
On Thu, Oct 30, 2014 at 04:19:34PM +0100, konrad rzentarzewski wrote:
i already did: stunnel.
And does it have any real use in the end ? In haproxy we have also done
totally pointless things that nobody has ever found a use for as well,
and we better try to forget them
is there any sensible reason that value of ssloptions is hardcoded
instead of passed with config (ie. similiary to
ssl-default-bind-ciphers)?
i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future
it may be likely to add some other options to avoid openssl bugs in
Previous mail was somehow messed up, here is my proper response:
is there any sensible reason that value of ssloptions is hardcoded
instead of passed with config (ie. similiary to
ssl-default-bind-ciphers)?
i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future
it may be
I think he wants to globally disable SSLv3 (by removing support at compile
time) so it can't be accidentally enabled in an errant bind option. There's
no way to disable SSLv3 globally in the haproxy config.
-Bryan
On Wed, Oct 29, 2014 at 12:24 PM, Lukas Tribus luky...@hotmail.com wrote:
9 matches
Mail list logo