On 2015-05-21 18:20, Remi Gacogne wrote:
Hi,
from what I've seen in the sources and documentation a default and
pre-generated prime will be used as default (unless appended to the
certificate). HAProxy uses the related functions provided by OpenSSL
itself (get_rfc3526_prime_2048, ...). What I miss here is an option
to
specify my own dhparams file to avoid using those pre-generated ones
and/ore appending some to all certificates. Wouldn't it make sense to
allow it to be read from a file, globally?
I don't think the 2048-bit MODP group 14 used by Haproxy is at risk
right now, still it can't hurt to use a large number of different
groups.
You can use your own dhparam by appending it to the file specified with
the crt command, after your certificate chain and key.
Well, I meant globally, as default.
global
tune.ssl.default-dh-param /path/to/custom/dhparams.pem
2048 was just an example. There is 1024 and IIRC 768 as well. One might
be forced to use 1024.
Also, according to the documentation HAProxy wouldn't allow/use anything
greater than tune.ssl.default-dh-param which is 1024 by default - unless
I misunderstood something.
--
Regards,
Christian Ruppert