Hi Lukas,
On Sun, May 24, 2015 at 12:41:12PM +0200, Lukas Tribus wrote:
For 1024, what we could do :
- in 1.6 : we wouldn't provide one anymore, which means that users could
only load it from a file they would generate if they need one ;
You are implying that we will provide 2048 bit
Honestly, I'm opting for removing the DH fallback in haproxy altogether and
simple always warn when the certificate (or a dedicated DH file parameter
like
nginx does, which was requested earlier this week and makes sense) does not
have the DH parameters.
I'm having a mixed opinion here.
On Fri, May 22, 2015 at 10:58:47AM +0200, Remi Gacogne wrote:
On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote:
As a temporary solution, i have decided to use a custom DH param for each
bind, but anyway, this clearly need a fix :)
Did you test Rémi's patch to confirm
OK so now we need to find what to do in the end. From what I understood,
just removing the lines was a test and is not viable because we'll always
emit the warning, right ?
Honestly, I'm opting for removing the DH fallback in haproxy altogether and
simple always warn when the certificate (or a
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d0f4d01..c5bd2f9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1076,10 +1076,6 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char
*file)
if (dh) {
ret = 1;
SSL_CTX_set_tmp_dh(ctx, dh);
-
Hey Willy,
I confirm his patch work as expected, it just need to be modified a bit to
apply on 1.5, but not a big deal.
Hervé.
On Fri, May 22, 2015 at 10:28 AM, Willy Tarreau w...@1wt.eu wrote:
Hi Hervé,
On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote:
As a temporary
Hello,
I encounter a problem with dhparam configuration, if i have 2 bind lines, a
tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
pem file, ALL bind lines will use 1024, the one with the custom group will
work as expected, and the one without will use the default Oakley
Hi Hervé,
On 05/21/2015 10:11 PM, Hervé Commowick wrote:
I encounter a problem with dhparam configuration, if i have 2 bind lines, a
tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
pem file, ALL bind lines will use 1024, the one with the custom group will
work as
Hi Rémi,
On Thu, May 21, 2015 at 11:19:15PM +0200, Remi Gacogne wrote:
Hi Hervé,
On 05/21/2015 10:11 PM, Hervé Commowick wrote:
I encounter a problem with dhparam configuration, if i have 2 bind lines, a
tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
pem
9 matches
Mail list logo
