Sending this back, looks like I got block by the RBL again. On Wed, Feb 05, 2025 at 06:07:39PM +0100, Artur wrote: > Hello ! > > I'm testing aws-lc library with haproxy (3.1) and I was surprised to get a > start failure after migration from quictls to aws-lc : > > [ALERT] : config : parsing [/etc/haproxy/haproxy.cfg:19] : unknown keyword > 'ssl-dh-param-file' in 'global' section; did you mean > 'tune.ssl.default-dh-param' maybe ? > > I removed 'ssl-dh-param-file' and haproxy started. However it made me wonder > if there is some other differences/limitations related to aws-lc. > I've already seen that some ciphers are not available in aws-lc. > > So, I'm currently looking for a suggested (basic/secure) config for use with > aws-lc. Maybe some articles are available to explain haproxy and aws-lc > interactions from admin point of view ?
Hello Artur, Indeed there are some differences with OpenSSL. We do have a page which talk about AWS-LC but it is not complete unfortunately https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status However, AWS-LC maintains a good documentation about their difference with OpenSSL: https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status https://github.com/aws/aws-lc/blob/main/docs/porting/functionality-differences.md The biggest difference is indeed the old ciphers that were removed from the library, that's why the dh-param parameter does not work, because the DHE ciphers does not exists in AWS-LC, ECDHE is recommended instead. Renegociation is something that is also not implemented completely, but that's not a required features nowadays. Stateful session resumption, meaning the SSL session cache, is also only implemented with TLSv1.2, with TLSv1.3 only ticket resumption is available. Basically AWS-LS focuses more on modern features, and does not try to implement the old ones that should disappear from the ecosystem. Regards, -- William Lallemand
