Hello, Everything said here is based on my opinion, so just add "IMO" in front of every sentence :)
On 6/25/2015 6:01 PM, Remi Gacogne wrote: > Hi, > >> I was unaware that BoringSSL removed the callback, but in that case, could >> we limit this feature to only OpenSSL? I¹m also not seeing how using this >> callback prevents rfc5077, could you please elaborate. Although we are expecting to gain a lot on server side CPU usage, we absolutely must not disable TLS session tickets as there are many clients not supporting EC. > > Yes, choosing a common suite supported by both side is a necessity. But > when there is more than one common suite, which happens most of the > time, you can either follow the client's preference or the server one. > Right now, it seems that we have a consensus to follow the server's > choice (see ssl_prefer_server_ciphers on for nginx, SSLHonorCipherOrder > on for Apache HTTPd, ..) and I believe we should continue to do that in > HAproxy because legacy clients have a long history of choosing crappy > ciphersuite (look at the recent export fiascos, for example). I also consider this best practice and would like to keep current behavior. > >> Tying this feature into 1.0.2 would definitely make it easier, I agree. It >> just will hinder adoption. > > That's true, but I am afraid doing otherwise would require adding a > complex logic in the TLS stack of HAproxy, so sadly I am more enclined > to require 1.0.2 for people willing to use this feature. OpenSSL being pretty complex, I prefer this approach also. People who want best performance will go with 1.0.2 anyways due to performance improvements. For example, RSA2048 on 1.0.1e gives 850 signs/s, while 1.0.2c gives 1470 signs/s (Xeon v3 CPU). Just my 2c. Regards, Nenad