Hi, > from what I've seen in the sources and documentation a default and > pre-generated prime will be used as default (unless appended to the > certificate). HAProxy uses the related functions provided by OpenSSL > itself (get_rfc3526_prime_2048, ...). What I miss here is an option to > specify my own dhparams file to avoid using those pre-generated ones > and/ore appending some to all certificates. Wouldn't it make sense to > allow it to be read from a file, globally?
I don't think the 2048-bit MODP group 14 used by Haproxy is at risk right now, still it can't hurt to use a large number of different groups. You can use your own dhparam by appending it to the file specified with the crt command, after your certificate chain and key. -- RĂ©mi
signature.asc
Description: OpenPGP digital signature
