mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 23:27:04 +02:00
DOC: install: specify the minimum openssl version recommended
Specify 1.1.1 as the minimum openssl version with full keywords support in haproxy configuration.
This commit is contained in:
parent
33bbeecde3
commit
f9c0bca452
24
INSTALL
24
INSTALL
@ -227,17 +227,19 @@ to forcefully enable it using "USE_LIBCRYPT=1".
|
|||||||
-----------------
|
-----------------
|
||||||
For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently
|
For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently
|
||||||
supports the OpenSSL library, and is known to build and work with branches
|
supports the OpenSSL library, and is known to build and work with branches
|
||||||
1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. OpenSSL follows a long-term
|
1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. It is recommended to use at
|
||||||
support cycle similar to HAProxy's, and each of the branches above receives its
|
least OpenSSL 1.1.1 to have support for all SSL keywords and configuration in
|
||||||
own fixes, without forcing you to upgrade to another branch. There is no excuse
|
HAProxy. OpenSSL follows a long-term support cycle similar to HAProxy's, and
|
||||||
for staying vulnerable by not applying a fix available for your version. There
|
each of the branches above receives its own fixes, without forcing you to
|
||||||
is always a small risk of regression when jumping from one branch to another
|
upgrade to another branch. There is no excuse for staying vulnerable by not
|
||||||
one, especially when it's very new, so it's preferable to observe for a while
|
applying a fix available for your version. There is always a small risk of
|
||||||
if you use a different version than your system's defaults. Specifically, it
|
regression when jumping from one branch to another one, especially when it's
|
||||||
has been well established that OpenSSL 3.0 can be 2 to 20 times slower than
|
very new, so it's preferable to observe for a while if you use a different
|
||||||
earlier versions on multiprocessor systems due to design issues that cannot be
|
version than your system's defaults. Specifically, it has been well established
|
||||||
fixed without a major redesign, so in this case upgrading should be carefully
|
that OpenSSL 3.0 can be 2 to 20 times slower than earlier versions on
|
||||||
thought about (please see https://github.com/openssl/openssl/issues/20286 and
|
multiprocessor systems due to design issues that cannot be fixed without a
|
||||||
|
major redesign, so in this case upgrading should be carefully thought about
|
||||||
|
(please see https://github.com/openssl/openssl/issues/20286 and
|
||||||
https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is
|
https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is
|
||||||
mandated by support reasons, at least 3.1 recovers a small fraction of this
|
mandated by support reasons, at least 3.1 recovers a small fraction of this
|
||||||
important loss.
|
important loss.
|
||||||
|
Loading…
Reference in New Issue
Block a user