Hi all,
while running on a trivial test config in which I had enabled
"zero-warning", my process refused to start due to the good old
warning "Setting tune.ssl.default-dh-param to 1024 blah blah".
I was almost certain we discussed about switching the default value
to 2048 for 2.0 or 2.1 but couldn't find any trace of this, so I must
have dreamed or discussed it in person. I've run a quick check on the
configs shared on the list over the last two years and found this:
$ tail -c80m Mail/lists/haproxy-ml | grep -o 'tune.ssl.default-dh-param[
]\+[0-9]\+' | awk '{print $1,$2}' |sort|uniq -c|sort -n
1 tune.ssl.default-dh-param 4096
13 tune.ssl.default-dh-param 1024
86 tune.ssl.default-dh-param 2048
Thus it seems that the vast majority of users (exactly 86%) prefer to
use 2048 which is also the one recommended in the warning. All I found
on the subject was in fact added to the doc by RĂ©mi who implemented the
tunable 6 years ago (commit f46cd6e4ec), and he warned:
values greater than 1024 bits are not supported by Java 7 and
earlier clients
Do we still really care given how old this is now and that users can
still force the value if they absolutely need it ?
As such I think it's about time we change the default value to 2048 and
get rid of this annoying warning before 2.2 gets released (and at the
same time 86% of the users will be able to remove one cryptic line in
their config). This way those who don't know/need it will be more
secure by default and those who need it will still be able to.
Does anyone have any objection or alternate recommendation ?
Thanks,
Willy
