Hi all,

while running on a trivial test config in which I had enabled
"zero-warning", my process refused to start due to the good old
warning "Setting tune.ssl.default-dh-param to 1024 blah blah".

I was almost certain we discussed about switching the default value
to 2048 for 2.0 or 2.1 but couldn't find any trace of this, so I must
have dreamed or discussed it in person. I've run a quick check on the
configs shared on the list over the last two years and found this:

$ tail  -c80m Mail/lists/haproxy-ml | grep -o 'tune.ssl.default-dh-param[     
]\+[0-9]\+' | awk '{print $1,$2}' |sort|uniq -c|sort -n
      1 tune.ssl.default-dh-param 4096
     13 tune.ssl.default-dh-param 1024
     86 tune.ssl.default-dh-param 2048

Thus it seems that the vast majority of users (exactly 86%) prefer to
use 2048 which is also the one recommended in the warning. All I found
on the subject was in fact added to the doc by RĂ©mi who implemented the
tunable 6 years ago (commit f46cd6e4ec), and he warned:

   values greater than 1024 bits are not supported by Java 7 and
   earlier clients

Do we still really care given how old this is now and that users can
still force the value if they absolutely need it ?

As such I think it's about time we change the default value to 2048 and
get rid of this annoying warning before 2.2 gets released (and at the
same time 86% of the users will be able to remove one cryptic line in
their config). This way those who don't know/need it will be more
secure by default and those who need it will still be able to.

Does anyone have any objection or alternate recommendation ?

Thanks,
Willy

Reply via email to