Hi Markus,
> with dev26 and now the release of version 1.5. i get the following > warning when starting haproxy: > > Starting haproxy: [WARNING] 170/090803 (38826) : Setting > tune.ssl.default-dh-param to 1024 by default, if your workload permits it > you should set it to at least 2048. Please set a value>= 1024 to make > this warning disappear. > > as far as i understood i need this if i use Diffie-Hellman to generate the > session key. i need a special dh-key, right? if i don't use this i don't > need to set the tune-ssl param. No, thats not really correct. You need the dh parameters for DHE ciphers and that fact that this warning appears means that you are actually using them. If you don't use DHE ciphers, then the message doesn't even appear. This is a real world warning, do not ignore it. Decide whether to use 1024 or 2048 bit for dh-params (or more). More about here: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#tune.ssl.default-dh-param And some details about DHE, forward secrecy and dh-params: http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#diffie-hellman-with-discrete-logarithm Regards, Lukas
