On Wed, May 06, 2020 at 07:59:55PM +0200, Willy Tarreau wrote:
> Hi all,
> while running on a trivial test config in which I had enabled
> "zero-warning", my process refused to start due to the good old
> warning "Setting tune.ssl.default-dh-param to 1024 blah blah".
> I was almost certain we discussed about switching the default value
> to 2048 for 2.0 or 2.1 but couldn't find any trace of this, so I must
> have dreamed or discussed it in person. I've run a quick check on the
> configs shared on the list over the last two years and found this:

I recall a discussion where the default openssl.cnf in some distribution
was denying a DH lower than 2048. You probably think about this one.

> $ tail  -c80m Mail/lists/haproxy-ml | grep -o 'tune.ssl.default-dh-param[     
> ]\+[0-9]\+' | awk '{print $1,$2}' |sort|uniq -c|sort -n
>       1 tune.ssl.default-dh-param 4096
>      13 tune.ssl.default-dh-param 1024
>      86 tune.ssl.default-dh-param 2048
> Thus it seems that the vast majority of users (exactly 86%) prefer to
> use 2048 which is also the one recommended in the warning. All I found
> on the subject was in fact added to the doc by RĂ©mi who implemented the
> tunable 6 years ago (commit f46cd6e4ec), and he warned:
>    values greater than 1024 bits are not supported by Java 7 and
>    earlier clients
> Do we still really care given how old this is now and that users can
> still force the value if they absolutely need it ?
> As such I think it's about time we change the default value to 2048 and
> get rid of this annoying warning before 2.2 gets released (and at the
> same time 86% of the users will be able to remove one cryptic line in
> their config). This way those who don't know/need it will be more
> secure by default and those who need it will still be able to.
> Does anyone have any objection or alternate recommendation ?
> Thanks,
> Willy

I'm fine with that, most people use at least a value of 2048 because of
the warning, their modern distribution will probably deny a lower value,
and we add this warning a long time ago.

William Lallemand

Reply via email to