Hi Willy,
> I'd have applied a very simple change to your patch : I'd have initialized
> global.tune.ssl_max_dh_param to zero by default, and emitted a warning here :
>
> + if (global.tune.ssl_max_dh_param <= 1024) {
> + /* we are limited to DH parameter of 1024 bits anyway
> */
> + Warning("Setting global.tune.ssl_max_dh_param to 1024
> by default, if your workload permits it you should set it to at least 2048.
> Please set a value >= 1024 to make this warning disappear.");
> + global.tune.ssl_max_dh_param = 1024;
> + dh = ssl_get_dh_1024();
> + if (dh == NULL)
> + goto end;
>
> What do you think ? That way it seems like only people really using the
> default
> value will get the warning.Yes, I think that's a good idea. You probably want to display this warning only when global.tune.ssl_max_dh_param is less than 1024 though, not equal :) Regards, -- Rémi Gacogne Aqua Ray SAS au capital de 105.720 Euros RCS Créteil 447 997 099 www.aquaray.fr 14, rue Jules Vanzuppe 94854 IVRY-SUR-SEINE CEDEX (France) Tel : (+33) (0)1 84 04 04 05 Fax : (+33) (0)1 77 65 60 42
signature.asc
Description: OpenPGP digital signature
