Hi,
What happens if you also have DH appended to your certificates? You set
global.tune.ssl_max_dh_param to 1024 but you have a 4096bit DH in your
certificate file, which one is used then? An answer could be 'Don't do
that' :-) but I was curious.
The certificate's dh_param is used. To avoid this kind of confusion,
may I suggest that we call this something like ssl_max_dh_param_fallback,
since it is indeed a fallback and only used when openssl doesn't find
dh_params in the certificate?
I think you have a point here, tune.ssl.max-dh-fallback-size maybe?
This also means that we will see this warning when this setting is not
configured, but the certificate actually contains it.
That should not be the case, if I am not mistaken, as
global.tune.ssl_max_dh_param is only checked when the certificate does not
contain DH parameters.
Btw, in what condition are we checking and displaying this warning?
When haproxy is compiled with OpenSSL? When we actually use a certificate?
When a X.509 server certificate has been successfully loaded.
Regards,
--
RĂ©mi Gacogne
Aqua Ray
SAS au capital de 105.720 Euros
RCS Creteil 447 997 099
www.aquaray.fr
14, rue Jules Vanzuppe
94854 IVRY-SUR-SEINE CEDEX (France)
Tel : +33 1 84 04 04 05
