❦ 26 avril 2014 12:51 CEST, Willy Tarreau <[email protected]> :
>> - leave the situation as it is now, and let users concerned with security
>> use a static 2048 bits (or larger) static DH parameter in the certificate
>> file ;
>> - recommit the patch I submitted as it is, and let users concerned with
>> the CPU impact use static DH parameter in the certificate file.
>
> What do you mean by "use static DH parameter in the cert file" ? Is this
> something the user can decide after the cert is emitted ? Is it something
> easy to do ?
On some software (HAProxy included from what I see in the source code),
you can just append the DH parameter to the certificate file. So, once
you know, that's easy.
>> I wonder why mod_ssl users does not seem to complain?
>
> Maybe most of them are running at low loads or are running sites where
> users stay for a long time ?
Or they have many boxes to do SSL (since I suppose in their setup, they
also serve web pages).
--
Make sure comments and code agree.
- The Elements of Programming Style (Kernighan & Plauger)
