DOC: install: specify the minimum openssl version recommended

Specify 1.1.1 as the minimum openssl version with full keywords support
in haproxy configuration.
This commit is contained in:
William Lallemand 2023-05-26 14:44:33 +02:00
parent 33bbeecde3
commit f9c0bca452

24
INSTALL
View File

@ -227,17 +227,19 @@ to forcefully enable it using "USE_LIBCRYPT=1".
----------------- -----------------
For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently
supports the OpenSSL library, and is known to build and work with branches supports the OpenSSL library, and is known to build and work with branches
1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. OpenSSL follows a long-term 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 3.0 and 3.1. It is recommended to use at
support cycle similar to HAProxy's, and each of the branches above receives its least OpenSSL 1.1.1 to have support for all SSL keywords and configuration in
own fixes, without forcing you to upgrade to another branch. There is no excuse HAProxy. OpenSSL follows a long-term support cycle similar to HAProxy's, and
for staying vulnerable by not applying a fix available for your version. There each of the branches above receives its own fixes, without forcing you to
is always a small risk of regression when jumping from one branch to another upgrade to another branch. There is no excuse for staying vulnerable by not
one, especially when it's very new, so it's preferable to observe for a while applying a fix available for your version. There is always a small risk of
if you use a different version than your system's defaults. Specifically, it regression when jumping from one branch to another one, especially when it's
has been well established that OpenSSL 3.0 can be 2 to 20 times slower than very new, so it's preferable to observe for a while if you use a different
earlier versions on multiprocessor systems due to design issues that cannot be version than your system's defaults. Specifically, it has been well established
fixed without a major redesign, so in this case upgrading should be carefully that OpenSSL 3.0 can be 2 to 20 times slower than earlier versions on
thought about (please see https://github.com/openssl/openssl/issues/20286 and multiprocessor systems due to design issues that cannot be fixed without a
major redesign, so in this case upgrading should be carefully thought about
(please see https://github.com/openssl/openssl/issues/20286 and
https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is https://github.com/openssl/openssl/issues/17627). If a migration to 3.x is
mandated by support reasons, at least 3.1 recovers a small fraction of this mandated by support reasons, at least 3.1 recovers a small fraction of this
important loss. important loss.