On Sat, May 30, 2020 at 03:41:51PM -0400, Joseph C. Sible wrote: > Anyway, when max < TLSv1.2, I think we should make min default to max. > I think this is what you mean by "fallback on min = max", but I'm not > 100% sure.
That's exactly what I meant! > I don't mind the warning (since servers shouldn't ever have > the max below TLSv1.2 today), but at the same time, I don't really see > much value in it either. In my opinion the warning is important because the configuration will behave differently depending on the HAProxy version you use. For example, in 2.1 with "ssl-max-ver TLSv1.1" alone, HAProxy will accept both TLSv1.0 and TLSv1.1. If we do this change in 2.2, the same configuration will only accept TLSv1.1. I think this kind of configurations is ambiguous so it's better to emit a warning if the max if lower thant the default min. -- William Lallemand
