Repositories - haproxy-3.0.git/commit

author	William Lallemand <wlallemand@haproxy.com>
	Tue, 12 Mar 2024 15:22:34 +0000 (16:22 +0100)
committer	William Lallemand <wlallemand@haproxy.com>
	Tue, 12 Mar 2024 16:37:11 +0000 (17:37 +0100)
commit	501d9fdb86088b1d785a46be8382a3bbe6a3b905
tree	b7cd4dc4ea459350b76dbc552d240e16ab54facc	tree \| snapshot
parent	7e9e4a8f501191044bf37341b6b5df68219e9e1c	commit \| diff

MEDIUM: ssl: allow to change the OpenSSL security level from global section

The new "ssl-security-level" option allows one to change the OpenSSL
security level without having to change the openssl.cnf global file of
your distribution. This directives applies on every SSL_CTX context.

People sometimes change their security level directly in the ciphers
directive, however there are some cases when the security level change
is not applied in the right order (for example when applying a DH
param).

Before this patch, it was to possible to trick by using a specific
openssl.cnf file and start haproxy this way:

OPENSSL_CONF=./openssl.cnf ./haproxy -f bug-2468.cfg

Values for the security level can be found there:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html

This was discussed in github issue #2468.

doc/configuration.txt		diff \| blob \| history
include/haproxy/openssl-compat.h		diff \| blob \| history
include/haproxy/ssl_sock-t.h		diff \| blob \| history
src/cfgparse-ssl.c		diff \| blob \| history
src/quic_ssl.c		diff \| blob \| history
src/ssl_gencert.c		diff \| blob \| history
src/ssl_sock.c		diff \| blob \| history