Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / f9c0bca452c1bff9c56c41be319041b3e3e7acd1^! / . / INSTALL
commitf9c0bca452c1bff9c56c41be319041b3e3e7acd1[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Fri May 26 14:44:33 2023 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Fri May 26 14:44:33 2023 +0200
tree001990d60edaa9dceaea4b6f1710c7c46dbc2e33
parent33bbeecde3427ded13cf53c1ff99f4e6b1687b35 [diff] [blame]
DOC: install: specify the minimum openssl version recommended

Specify 1.1.1 as the minimum openssl version with full keywords support
in haproxy configuration.

diff --git a/INSTALL b/INSTALL
index f44d5f2..ca47aa8 100644
--- a/INSTALL
+++ b/INSTALL

@@ -227,17 +227,19 @@
 -----------------
 For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently
 supports the OpenSSL library, and is known to build and work with branches
-1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. OpenSSL follows a long-term
-support cycle similar to HAProxy's, and each of the branches above receives its
-own fixes, without forcing you to upgrade to another branch. There is no excuse
-for staying vulnerable by not applying a fix available for your version. There
-is always a small risk of regression when jumping from one branch to another
-one, especially when it's very new, so it's preferable to observe for a while
-if you use a different version than your system's defaults. Specifically, it
-has been well established that OpenSSL 3.0 can be 2 to 20 times slower than
-earlier versions on multiprocessor systems due to design issues that cannot be
-fixed without a major redesign, so in this case upgrading should be carefully
-thought about (please see https://github.com/openssl/openssl/issues/20286 and
+1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. It is recommended to use at
+least OpenSSL 1.1.1 to have support for all SSL keywords and configuration in
+HAProxy. OpenSSL follows a long-term support cycle similar to HAProxy's, and
+each of the branches above receives its own fixes, without forcing you to
+upgrade to another branch. There is no excuse for staying vulnerable by not
+applying a fix available for your version. There is always a small risk of
+regression when jumping from one branch to another one, especially when it's
+very new, so it's preferable to observe for a while if you use a different
+version than your system's defaults. Specifically, it has been well established
+that OpenSSL 3.0 can be 2 to 20 times slower than earlier versions on
+multiprocessor systems due to design issues that cannot be fixed without a
+major redesign, so in this case upgrading should be carefully thought about
+(please see https://github.com/openssl/openssl/issues/20286 and
 https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is
 mandated by support reasons, at least 3.1 recovers a small fraction of this
 important loss.