On Mon, May 19, 2014 at 09:47:45AM +0200, Remi Gacogne wrote:
> Hi Willy,
>
> > I'd have applied a very simple change to your patch : I'd have initialized
> > global.tune.ssl_max_dh_param to zero by default, and emitted a warning here
> > :
> >
> > + if (global.tune.ssl_max_dh_param <= 1024) {
> > + /* we are limited to DH parameter of 1024 bits
> > anyway */
> > + Warning("Setting global.tune.ssl_max_dh_param to
> > 1024 by default, if your workload permits it you should set it to at least
> > 2048. Please set a value >= 1024 to make this warning disappear.");
> > + global.tune.ssl_max_dh_param = 1024;
> > + dh = ssl_get_dh_1024();
> > + if (dh == NULL)
> > + goto end;
> >
> > What do you think ? That way it seems like only people really using the
> > default
> > value will get the warning.
>
> Yes, I think that's a good idea. You probably want to display this
> warning only when global.tune.ssl_max_dh_param is less than 1024 though,
> not equal :)
Ah yes, you're right. But anyway the purpose was to explain the principle.
Do you want to update your patch and resubmit then ?
thanks,
Willy
