On Fri, Jul 28, 2017 at 03:28:53PM -0700, Kevin McArthur wrote: > > I really think that for most users it will be fine this way as it has been > > for 5 years, and for me that justifies not trying to go too far for the > > short > > term. > Fair enough, but don't forget that for the last 5 years folks have just been > setting verify none in all the tutorials lol!
Yes but it's not surprizing. Most of the time haproxy is installed in front of the servers on the local network and is the SSL termination. The main reason for talking SSL to the server is to avoid having to touch its configuration to make it accept clear communications. We've been keeping SSLv3 solely for this reason for example. The docs are clear enough on the impacts of "verify none" and it's not the default, so users are expected to be aware of the risks. Willy
