From: William Lallemand Date: Fri, 26 May 2023 12:44:33 +0000 (+0200) Subject: DOC: install: specify the minimum openssl version recommended X-Git-Tag: v2.8.0~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9c0bca452c1bff9c56c41be319041b3e3e7acd1;p=thirdparty%2Fhaproxy.git DOC: install: specify the minimum openssl version recommended Specify 1.1.1 as the minimum openssl version with full keywords support in haproxy configuration. --- diff --git a/INSTALL b/INSTALL index f44d5f2e43..ca47aa83da 100644 --- a/INSTALL +++ b/INSTALL @@ -227,17 +227,19 @@ to forcefully enable it using "USE_LIBCRYPT=1". ----------------- For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently supports the OpenSSL library, and is known to build and work with branches -1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. OpenSSL follows a long-term -support cycle similar to HAProxy's, and each of the branches above receives its -own fixes, without forcing you to upgrade to another branch. There is no excuse -for staying vulnerable by not applying a fix available for your version. There -is always a small risk of regression when jumping from one branch to another -one, especially when it's very new, so it's preferable to observe for a while -if you use a different version than your system's defaults. Specifically, it -has been well established that OpenSSL 3.0 can be 2 to 20 times slower than -earlier versions on multiprocessor systems due to design issues that cannot be -fixed without a major redesign, so in this case upgrading should be carefully -thought about (please see https://github.com/openssl/openssl/issues/20286 and +1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. It is recommended to use at +least OpenSSL 1.1.1 to have support for all SSL keywords and configuration in +HAProxy. OpenSSL follows a long-term support cycle similar to HAProxy's, and +each of the branches above receives its own fixes, without forcing you to +upgrade to another branch. There is no excuse for staying vulnerable by not +applying a fix available for your version. There is always a small risk of +regression when jumping from one branch to another one, especially when it's +very new, so it's preferable to observe for a while if you use a different +version than your system's defaults. Specifically, it has been well established +that OpenSSL 3.0 can be 2 to 20 times slower than earlier versions on +multiprocessor systems due to design issues that cannot be fixed without a +major redesign, so in this case upgrading should be carefully thought about +(please see https://github.com/openssl/openssl/issues/20286 and https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is mandated by support reasons, at least 3.1 recovers a small fraction of this important loss.