On 4/29/22 12:42, Branitsky, Norman wrote:
If you include the following in your HAProxy configuration global
section you don't need to include DH Params in the certificate:
tune.ssl.default-dh-param 2048
It takes several minutes to generate params, so I doubt that with that
option that there would be different params for each certificate. It is
my understanding that when they are included in the cert file, each cert
can have different params. Part of my automated cert renewal process
included generating brand new dh params.
I know that a fresh install can be instantly operational with TLS,
suggesting that it is not generating them on the fly ... so I really
wonder how secure the default params are. I wonder what is being used
when there are no params in the cert file. Does it get something
hardcoded and use that until params generated in the background can be
swapped in?
Thanks,
Shawn
