Hello William,
Le 13/02/2025 à 11:31, William Lallemand a écrit :
Go is in fact not required, you only need it if you want to activate FIPS.
You can compile like this:
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 -DDISABLE_GO=1
-DDISABLE_PERL=1 \
-DBUILD_TESTING=0 -DCMAKE_INSTALL_PREFIX=${BUILDSSL_DESTDIR} ..
Thanks for the tip. It's simpler this way. Actually, I'm currently using
static aws-lc library while compiling haproxy.
You could remove all DHE-* ciphers as they are not implemented in AWS-LC they
are ignored. Regarding the TLSv1.3
ciphersuites, only 3 are implemented so you could keep the default values.
Sorry for the DHE-* ciphers, there were no in my config but I copy/paste
strings from Mozilla Generator instead and I didn't see the DHE-*
ciphers listed at the end. My bad. :/
TLSv1.2 is already the minimum on bind lines in recent HAProxy versions.
Regarding no-tls-tickets, it depends if you want to avoid entirely resuming a
previous TLS session, or if you want to
use "stateful tickets" instead of "stateless" ones that uses the HAProxy cache.
If you want to disable completely TLS resume on bind lines, you need in
addition to no-tls-tickets:
'tune.ssl.cachesize 0' in the global section.
Note that stateful resumption is not implemented for TLSv1.3 in AWS-LC.
I have to investigate more about resuming TLS sessions and security
concerns. And also 0-RTT for the same reason, I didn't activate it yet.
Otherwise, I didn't notice any other problem with haproxy + aws-lc. The
only one I had was related to DH params file option.
Thanks a lot for your time and tips. I appreciate it.
--
Best regards,
Artur
