Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / a088aa01b40422ddb358a2552379002f2e59d6a8^! / .
commita088aa01b40422ddb358a2552379002f2e59d6a8[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Thu Feb 29 18:04:12 2024 +0100
committerChristopher Faulet <cfaulet@haproxy.com>Wed Apr 03 17:10:36 2024 +0200
treeb314fb7a3a01692851292662ad8350e3d1cf8213
parentab9043fe46159a2d0f58f6b1709a6b625c3740d1 [diff]
DOC: configuration: clarify ciphersuites usage

Ciphersuites can be used with any TLS/SSL protocol version and are not
specific to TLSv1.3. However you can only specify the TLSv1.3 ciphers in
ciphersuite format.

Should fix issue #2459.

Backport to every stable branches.

(cherry picked from commit e2a44d6c94b08d1bdf6294706c3b64267a13c86f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 5e6faf7ff43451026647d0a80997589be2fd717c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit dce883c3d31976e08458afbf482c6609f1978c17)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 80941575926966f240d9a88154b422520249714c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 3a2c3bac777a8014f53b5287e98490238b494b79)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/doc/configuration.txt b/doc/configuration.txt
index e733a2c..e923736 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -1882,13 +1882,13 @@
 ssl-default-bind-ciphersuites <ciphersuites>
   This setting is only available when support for OpenSSL was built in and
   OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
-  describing the list of cipher algorithms ("cipher suite") that are negotiated
-  during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
-  theirs. The format of the string is defined in
-  "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
-  cipher configuration for TLSv1.2 and earlier, please check the
-  "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
-  information.
+  describing the list of cipher algorithms in "cipher suite" format that are
+  negotiated during the TLS handshake for all "bind" lines which do not
+  explicitly define theirs. The format of the string is defined in "man 1
+  ciphers" from OpenSSL man pages under the section "ciphersuites". For cipher
+  configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
+  please check the "ssl-default-bind-ciphers" keyword. Please check the "bind"
+  keyword for more information.
 
 ssl-default-bind-curves <curves>
   This setting is only available when support for OpenSSL was built in. It sets
@@ -1921,14 +1921,14 @@
 
 ssl-default-server-ciphersuites <ciphersuites>
   This setting is only available when support for OpenSSL was built in and
-  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
-  string describing the list of cipher algorithms that are negotiated during
-  the TLSv1.3 handshake with the server, for all "server" lines which do not
-  explicitly define theirs. The format of the string is defined in
+  OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
+  describing the list of cipher algorithms in "cipher suite" format that are
+  negotiated during the TLS handshake with the server, for all "server" lines
+  which do not explicitly define theirs. The format of the string is defined in
   "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
-  cipher configuration for TLSv1.2 and earlier, please check the
-  "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
-  more information.
+  cipher configuration for TLSv1.2 and earlier using the "OpenSSL" cipher
+  format, please check the "ssl-default-server-ciphers" keyword. Please check the
+  "server" keyword for more information.
 
 ssl-default-server-options [<option>]...
   This setting is only available when support for OpenSSL was built in. It sets
@@ -13544,10 +13544,11 @@
 ciphersuites <ciphersuites>
   This setting is only available when support for OpenSSL was built in and
   OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
-  the list of cipher algorithms ("cipher suite") that are negotiated during the
-  TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
-  OpenSSL man pages under the "ciphersuites" section. For cipher configuration
-  for TLSv1.2 and earlier, please check the "ciphers" keyword.
+  the list of cipher algorithms in "cipher suite" format that are negotiated
+  during the TLS handshake. The format of the string is defined in "man 1
+  ciphers" from OpenSSL man pages under the "ciphersuites" section. For cipher
+  configuration for TLSv1.2 and earlier using the "OpenSSL" ciphers format,
+  please check the "ciphers" keyword.
 
 crl-file <crlfile>
   This setting is only available when support for OpenSSL was built in. It
@@ -14380,11 +14381,11 @@
 ciphersuites <ciphersuites>
   This setting is only available when support for OpenSSL was built in and
   OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
-  describing the list of cipher algorithms that is negotiated during the TLS
-  1.3 handshake with the server. The format of the string is defined in
-  "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
-  For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
-  keyword.
+  describing the list of cipher algorithms in "cipher suite" format that is
+  negotiated during the TLS handshake with the server. The format of the string
+  is defined in "man 1 ciphers" from OpenSSL man pages under the "ciphersuites"
+  section. For cipher configuration for TLSv1.2 and earlier using the "OpenSSL"
+  cipher format, please check the "ciphers" keyword.
 
 cookie <value>
   The "cookie" parameter sets the cookie value assigned to the server to