DOC: configuration: add details on prefer-client-ciphers

prefer-client-ciphers does not work exactly the same way when used with
a dual algorithm stack (ECDSA + RSA). This patch details its behavior.

This patch must be backported in every maintained version.

Problem was discovered in #2988.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4dfd53bc248dd7d2c753d335a08a816531d2ae09..5803f56481291f11faff899ad6d7427fab27902a 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16883,10 +16883,17 @@ prefer-client-ciphers
   Use the client's preference when selecting the cipher suite, by default
   the server's preference is enforced. This option is also available on
   global statement "ssl-default-bind-options".
+
   Note that with OpenSSL >= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway
   (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of
   the client cipher list.
 
+  When using a dual algorithms setup (RSA + ECDSA), the selection algorithm
+  will chose between RSA and ECDSA and will always prioritize ECDSA. Once the
+  right certificate is chosen, it will let the SSL library prioritize ciphers,
+  curves etc. Meaning this option can't be used to prioritize an RSA
+  certificate over an ECDSA one.
+
 proto <name>
   Forces the multiplexer's protocol to use for the incoming connections. It
   must be compatible with the mode of the frontend (TCP or HTTP). It must also