512411108c
- Add new patches (see https://www.haproxy.org/bugs/bugs-1.8.17.html) - Raise PKG_RELEASE to 2 - Prefix patches with 3-digit numbers instead of 4-digit numbers Signed-off-by: Christian Lachner <gladiac@gmail.com>
32 lines
1.3 KiB
Diff
32 lines
1.3 KiB
Diff
commit aca7e5aed7e036489ccc83d925103e94653b8670
|
|
Author: Olivier Houchard <ohouchard@haproxy.com>
|
|
Date: Tue Jan 8 15:35:32 2019 +0100
|
|
|
|
DOC: Be a bit more explicit about allow-0rtt security implications.
|
|
|
|
Document a bit better than allow-0rtt can trivially be used for replay attacks,
|
|
and so should only be used when it's safe to replay a request.
|
|
|
|
This should probably be backported to 1.8 and 1.9.
|
|
|
|
(cherry picked from commit 69752964944ef9c8dc03477ee95bc7d149a72089)
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(cherry picked from commit bb0df71201ad5b2d0cec514773d244275e5240df)
|
|
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
|
|
|
|
diff --git a/doc/configuration.txt b/doc/configuration.txt
|
|
index 712e56e2..72b769a4 100644
|
|
--- a/doc/configuration.txt
|
|
+++ b/doc/configuration.txt
|
|
@@ -10483,7 +10483,10 @@ accept-proxy
|
|
|
|
allow-0rtt
|
|
Allow receiving early data when using TLSv1.3. This is disabled by default,
|
|
- due to security considerations.
|
|
+ due to security considerations. Because it is vulnerable to replay attacks,
|
|
+ you should only allow if for requests that are safe to replay, ie requests
|
|
+ that are idempotent. You can use the "wait-for-handshake" action for any
|
|
+ request that wouldn't be safe with early data.
|
|
|
|
alpn <protocols>
|
|
This enables the TLS ALPN extension and advertises the specified protocol
|