On Sat, May 30, 2020 at 04:19:02PM -0400, Joseph C. Sible wrote: > On Sat, May 30, 2020 at 4:15 PM William Lallemand > <[email protected]> wrote: > > > > On Sat, May 30, 2020 at 03:41:51PM -0400, Joseph C. Sible wrote: > > > Anyway, when max < TLSv1.2, I think we should make min default to max. > > > I think this is what you mean by "fallback on min = max", but I'm not > > > 100% sure. > > > > That's exactly what I meant! > > > > > I don't mind the warning (since servers shouldn't ever have > > > the max below TLSv1.2 today), but at the same time, I don't really see > > > much value in it either. > > > > In my opinion the warning is important because the configuration > > will behave differently depending on the HAProxy version you use. > > > > For example, in 2.1 with "ssl-max-ver TLSv1.1" alone, HAProxy will > > accept both TLSv1.0 and TLSv1.1. If we do this change in 2.2, the same > > configuration will only accept TLSv1.1. I think this kind of > > configurations is ambiguous so it's better to emit a warning if the max > > if lower thant the default min. > > Ah, the loss of TLSv1.0 with just "ssl-max-ver TLSv1.1" is a good > point. I agree that that is worth a warning. >
Thanks for the valuable input, I'll make a patch. -- William Lallemand
