On 02.05.2014 16:52, Lukas Tribus wrote:
Hi Remi,
The default value for max-dh-param-size is set to 1024, thus keeping
the current behavior by default. Setting a higher value (for example
2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade
to stronger ephemeral DH keys (and back if needed).
Please note that Sander used 4096bit - which is why he saw huge CPE
load.
Imho we can default max-dh-param-size to 2048bit.
Best thing would be if Sander could test in his environment with a
2048bit
dhparam manually (in the cert file).
I've added a 2048bit dhparam to my most used certificates and I don't
see a big jump in resource usage.
This was not a big scientific test, I just added the DH params in my
production and looked if the haproxy process started eating more CPU. As
far as I can tell CPU usage went up just a couple percent. Not a very
big deal.
So, to me using 2048bit doesn't seem like a problem. And..... I can
always switch to nbproc > 1 ;-)
Greets,
Sander
