Hi,
> What happens if you also have DH appended to your certificates? You set
> global.tune.ssl_max_dh_param to 1024 but you have a 4096bit DH in your
> certificate file, which one is used then? An answer could be 'Don't do
> that' :-) but I was curious.
The certificate's dh_param is used. To avoid this kind of confusion,
may I suggest that we call this something like ssl_max_dh_param_fallback,
since it is indeed a fallback and only used when openssl doesn't find
dh_params in the certificate?
This also means that we will see this warning when this setting is not
configured, but the certificate actually contains it.
Seems difficult to find the optimal approach for handling this.
Btw, in what condition are we checking and displaying this warning?
When haproxy is compiled with OpenSSL? When we actually use a certificate?
Regards,
Lukas
