RE: warning tune.ssl.default-dh-param
Hi Markus, as far as i understood i need this if i use Diffie-Hellman to generate the session key. i need a special dh-key, right? if i don't use this i don't need to set the tune-ssl param. No, thats not really correct. You need the dh parameters for DHE ciphers and that fact that this warning appears means that you are actually using them. ok, not that i knew. but then, i have set it to 2048. message disappeared. Well, you can also set it to 1024 and the message should disappear. The idea behind this is that you consciously set this value to avoid sudden surprising performance regressions. Lukas
warning tune.ssl.default-dh-param
i, with dev26 and now the release of version 1.5. i get the following warning when starting haproxy: Starting haproxy: [WARNING] 170/090803 (38826) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value = 1024 to make this warning disappear. as far as i understood i need this if i use Diffie-Hellman to generate the session key. i need a special dh-key, right? if i don't use this i don't need to set the tune-ssl param. thanxs markus
RE: warning tune.ssl.default-dh-param
Hi Markus, with dev26 and now the release of version 1.5. i get the following warning when starting haproxy: Starting haproxy: [WARNING] 170/090803 (38826) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value= 1024 to make this warning disappear. as far as i understood i need this if i use Diffie-Hellman to generate the session key. i need a special dh-key, right? if i don't use this i don't need to set the tune-ssl param. No, thats not really correct. You need the dh parameters for DHE ciphers and that fact that this warning appears means that you are actually using them. If you don't use DHE ciphers, then the message doesn't even appear. This is a real world warning, do not ignore it. Decide whether to use 1024 or 2048 bit for dh-params (or more). More about here: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#tune.ssl.default-dh-param And some details about DHE, forward secrecy and dh-params: http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#diffie-hellman-with-discrete-logarithm Regards, Lukas
