From f9c0bca452c1bff9c56c41be319041b3e3e7acd1 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Fri, 26 May 2023 14:44:33 +0200 Subject: [PATCH] DOC: install: specify the minimum openssl version recommended Specify 1.1.1 as the minimum openssl version with full keywords support in haproxy configuration. --- INSTALL | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/INSTALL b/INSTALL index f44d5f2e4..ca47aa83d 100644 --- a/INSTALL +++ b/INSTALL @@ -227,17 +227,19 @@ to forcefully enable it using "USE_LIBCRYPT=1". ----------------- For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently supports the OpenSSL library, and is known to build and work with branches -1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. OpenSSL follows a long-term -support cycle similar to HAProxy's, and each of the branches above receives its -own fixes, without forcing you to upgrade to another branch. There is no excuse -for staying vulnerable by not applying a fix available for your version. There -is always a small risk of regression when jumping from one branch to another -one, especially when it's very new, so it's preferable to observe for a while -if you use a different version than your system's defaults. Specifically, it -has been well established that OpenSSL 3.0 can be 2 to 20 times slower than -earlier versions on multiprocessor systems due to design issues that cannot be -fixed without a major redesign, so in this case upgrading should be carefully -thought about (please see https://github.com/openssl/openssl/issues/20286 and +1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. It is recommended to use at +least OpenSSL 1.1.1 to have support for all SSL keywords and configuration in +HAProxy. OpenSSL follows a long-term support cycle similar to HAProxy's, and +each of the branches above receives its own fixes, without forcing you to +upgrade to another branch. There is no excuse for staying vulnerable by not +applying a fix available for your version. There is always a small risk of +regression when jumping from one branch to another one, especially when it's +very new, so it's preferable to observe for a while if you use a different +version than your system's defaults. Specifically, it has been well established +that OpenSSL 3.0 can be 2 to 20 times slower than earlier versions on +multiprocessor systems due to design issues that cannot be fixed without a +major redesign, so in this case upgrading should be carefully thought about +(please see https://github.com/openssl/openssl/issues/20286 and https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is mandated by support reasons, at least 3.1 recovers a small fraction of this important loss. -- 2.47.3