From: William Lallemand Date: Wed, 25 Jun 2025 12:41:45 +0000 (+0200) Subject: DOC: configuration: add details on prefer-client-ciphers X-Git-Tag: v3.0.12~107 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=5efb5f4508ac1a16548fd67f76e9dd73d1717f08;p=haproxy-3.0.git DOC: configuration: add details on prefer-client-ciphers prefer-client-ciphers does not work exactly the same way when used with a dual algorithm stack (ECDSA + RSA). This patch details its behavior. This patch must be backported in every maintained version. Problem was discovered in #2988. (cherry picked from commit 370a8cea4a2680cf27d5be61163bada27d541347) Signed-off-by: Willy Tarreau (cherry picked from commit 5000d32a2488a47cf817bebcf023312510d0cddc) Signed-off-by: Christopher Faulet (cherry picked from commit faa6c12a5ceea61b904847a6b481d2efb2ba421b) Signed-off-by: Christopher Faulet --- diff --git a/doc/configuration.txt b/doc/configuration.txt index f4269b5..9b93934 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16661,10 +16661,17 @@ prefer-client-ciphers Use the client's preference when selecting the cipher suite, by default the server's preference is enforced. This option is also available on global statement "ssl-default-bind-options". + Note that with OpenSSL >= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of the client cipher list. + When using a dual algorithms setup (RSA + ECDSA), the selection algorithm + will chose between RSA and ECDSA and will always prioritize ECDSA. Once the + right certificate is chosen, it will let the SSL library prioritize ciphers, + curves etc. Meaning this option can't be used to prioritize an RSA + certificate over an ECDSA one. + proto Forces the multiplexer's protocol to use for the incoming connections. It must be compatible with the mode of the frontend (TCP or HTTP). It must also