DOC: configuration: add details on prefer-client-ciphers

prefer-client-ciphers does not work exactly the same way when used with
a dual algorithm stack (ECDSA + RSA). This patch details its behavior.

This patch must be backported in every maintained version.

Problem was discovered in #2988.

(cherry picked from commit 370a8cea4a2680cf27d5be61163bada27d541347)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 5000d32a2488a47cf817bebcf023312510d0cddc)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit faa6c12a5ceea61b904847a6b481d2efb2ba421b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/doc/configuration.txt b/doc/configuration.txt
index f4269b5..9b93934 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16661,10 +16661,17 @@ prefer-client-ciphers
   Use the client's preference when selecting the cipher suite, by default
   the server's preference is enforced. This option is also available on
   global statement "ssl-default-bind-options".
+
   Note that with OpenSSL >= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway
   (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of
   the client cipher list.
 
+  When using a dual algorithms setup (RSA + ECDSA), the selection algorithm
+  will chose between RSA and ECDSA and will always prioritize ECDSA. Once the
+  right certificate is chosen, it will let the SSL library prioritize ciphers,
+  curves etc. Meaning this option can't be used to prioritize an RSA
+  certificate over an ECDSA one.
+
 proto <name>
   Forces the multiplexer's protocol to use for the incoming connections. It
   must be compatible with the mode of the frontend (TCP or HTTP). It must also