On 29 Apr, Shawn Heisey wrote: > I know that a fresh install can be instantly operational with TLS, > suggesting that it is not generating them on the fly ... so I really wonder > how secure the default params are. I wonder what is being used when there > are no params in the cert file. Does it get something hardcoded and use that > until params generated in the background can be swapped in? You'll want to have a look at this issue: https://github.com/haproxy/haproxy/issues/1604
Indeed HAProxy has default ones, and reading the issue and comments of Lukas you'll understand why DH params are a thing of the past (if you use modern ciphers), and why generating them yourself is not even that great to begin with. (I'm the author of the issue btw) Best, ~Nico