New RHEL 8 Crypto Configuration mentioned in:

From: Илья Шипицин <>

Sent: Wednesday, May 6, 2020 5:34 AM

To: HAProxy <>

Subject: running haproxy with predefined security policies on RHEL8 ?


do we have any experience of

defines FUTURE configuration as:

no SHA-1 signatures

DH and RSA parameters minimum 3072

Norman Branitsky

Senior Cloud Architect

P: 416-916-1752

-----Original Message-----
From: Willy Tarreau <>
Sent: Wednesday, May 6, 2020 2:00 PM
To: HAProxy <>
Subject: about Warning: Setting tune.ssl.default-dh-param to 1024

Hi all,

while running on a trivial test config in which I had enabled "zero-warning", 
my process refused to start due to the good old warning "Setting 
tune.ssl.default-dh-param to 1024 blah blah".

I was almost certain we discussed about switching the default value to 2048 for 
2.0 or 2.1 but couldn't find any trace of this, so I must have dreamed or 
discussed it in person. I've run a quick check on the configs shared on the 
list over the last two years and found this:

$ tail  -c80m Mail/lists/haproxy-ml | grep -o 'tune.ssl.default-dh-param[     
]\+[0-9]\+' | awk '{print $1,$2}' |sort|uniq -c|sort -n

      1 tune.ssl.default-dh-param 4096

     13 tune.ssl.default-dh-param 1024

     86 tune.ssl.default-dh-param 2048

Thus it seems that the vast majority of users (exactly 86%) prefer to use 2048 
which is also the one recommended in the warning. All I found on the subject 
was in fact added to the doc by Rémi who implemented the tunable 6 years ago 
(commit f46cd6e4ec), and he warned:

   values greater than 1024 bits are not supported by Java 7 and

   earlier clients

Do we still really care given how old this is now and that users can still 
force the value if they absolutely need it ?

As such I think it's about time we change the default value to 2048 and get rid 
of this annoying warning before 2.2 gets released (and at the same time 86% of 
the users will be able to remove one cryptic line in their config). This way 
those who don't know/need it will be more secure by default and those who need 
it will still be able to.

Does anyone have any objection or alternate recommendation ?



Reply via email to