hem instead of promoting them (hint: try
to declare a "ruleset" section).
> i don't really know wheter it's big advantage to have it configurable at
> this time, probably not, as current hardcoded ssloptions value is safe.
>
> i know that we needed to add some opts in
it's big advantage to have it configurable at
this time, probably not, as current hardcoded ssloptions value is safe.
i know that we needed to add some opts in july to stunnel, as they were
not default for openssl at that time to prevent BEAST and friends.
Do you know other projects than stunnel w
don't think any application lets you configure single openssl workarounds
>> or can you name one?
>
> i already did: stunnel.
I meant without hacking the source-code, of course.
> i don't really know wheter it's big advantage to have it configurable at
> this t
i don't really know wheter it's big advantage to have it configurable at
this time, probably not, as current hardcoded ssloptions value is safe.
i know that we needed to add some opts in july to stunnel, as they were
not default for openssl at that time to prevent BEAST and friends.
besides,
Hi,
>> You can disable SSLv3 among other things just fine in haproxy 1.5:
>> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#no-sslv3%20%28Bind%20options%29
>
> sorry, for not being clear.
> i'd like this:
>
> src/ssl_sock.c:
> 1469 long ssloptions =
> 1470 SSL_OP_ALL | /* all known
On Wed, Oct 29, 2014 at 08:24:31PM +0100, Lukas Tribus wrote:
> Previous mail was somehow messed up, here is my proper response:
>
> > is there any sensible reason that value of ssloptions is hardcoded
> > instead of passed with config (ie. similiary to
> > ssl-default-bind-ciphers)?
> >
> > i'd l
On Wed, Oct 29, 2014 at 02:29:21PM -0700, Bryan Talbot wrote:
> I think he wants to globally disable SSLv3 (by removing support at compile
> time) so it can't be accidentally enabled in an errant bind option. There's
> no way to disable SSLv3 globally in the haproxy config.
Then probably we should
I think he wants to globally disable SSLv3 (by removing support at compile
time) so it can't be accidentally enabled in an errant bind option. There's
no way to disable SSLv3 globally in the haproxy config.
-Bryan
On Wed, Oct 29, 2014 at 12:24 PM, Lukas Tribus wrote:
> Previous mail was someho
Previous mail was somehow messed up, here is my proper response:
> is there any sensible reason that value of ssloptions is hardcoded
> instead of passed with config (ie. similiary to
> ssl-default-bind-ciphers)?
>
> i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future
> it may
> is there any sensible reason that value of ssloptions is hardcoded
> instead of passed with config (ie. similiary to
> ssl-default-bind-ciphers)?
>
> i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future
> it may be likely to add some other options to avoid openssl bugs in
> pro
is there any sensible reason that value of ssloptions is hardcoded
instead of passed with config (ie. similiary to
ssl-default-bind-ciphers)?
i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future
it may be likely to add some other options to avoid openssl bugs in
production...
n
11 matches
Mail list logo