From: William Lallemand Date: Wed, 25 Jun 2025 12:41:45 +0000 (+0200) Subject: DOC: configuration: add details on prefer-client-ciphers X-Git-Tag: v3.3-dev2~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=370a8cea4a2680cf27d5be61163bada27d541347;p=thirdparty%2Fhaproxy.git DOC: configuration: add details on prefer-client-ciphers prefer-client-ciphers does not work exactly the same way when used with a dual algorithm stack (ECDSA + RSA). This patch details its behavior. This patch must be backported in every maintained version. Problem was discovered in #2988. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 4dfd53bc2..5803f5648 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16883,10 +16883,17 @@ prefer-client-ciphers Use the client's preference when selecting the cipher suite, by default the server's preference is enforced. This option is also available on global statement "ssl-default-bind-options". + Note that with OpenSSL >= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of the client cipher list. + When using a dual algorithms setup (RSA + ECDSA), the selection algorithm + will chose between RSA and ECDSA and will always prioritize ECDSA. Once the + right certificate is chosen, it will let the SSL library prioritize ciphers, + curves etc. Meaning this option can't be used to prioritize an RSA + certificate over an ECDSA one. + proto Forces the multiplexer's protocol to use for the incoming connections. It must be compatible with the mode of the frontend (TCP or HTTP). It must also