On Sat, May 30, 2020 at 4:15 PM William Lallemand <wlallem...@haproxy.com> wrote: > > On Sat, May 30, 2020 at 03:41:51PM -0400, Joseph C. Sible wrote: > > Anyway, when max < TLSv1.2, I think we should make min default to max. > > I think this is what you mean by "fallback on min = max", but I'm not > > 100% sure. > > That's exactly what I meant! > > > I don't mind the warning (since servers shouldn't ever have > > the max below TLSv1.2 today), but at the same time, I don't really see > > much value in it either. > > In my opinion the warning is important because the configuration > will behave differently depending on the HAProxy version you use. > > For example, in 2.1 with "ssl-max-ver TLSv1.1" alone, HAProxy will > accept both TLSv1.0 and TLSv1.1. If we do this change in 2.2, the same > configuration will only accept TLSv1.1. I think this kind of > configurations is ambiguous so it's better to emit a warning if the max > if lower thant the default min.
Ah, the loss of TLSv1.0 with just "ssl-max-ver TLSv1.1" is a good point. I agree that that is worth a warning. Joseph C. Sible
