In [1] a workaround for those (hopefully a few) installations that need the lower (not recommended) key size was suggested.
Again this isn't what "should be done", but what users could do if affected. The reason not to do it is: a) LOGJAM (CVE-2015-4000), common prime: HAProxy (1024 bits) b) due to that haproxy always warned you: "[WARNING] 286/090504 (13834) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear." So we actually want and think it is good that the default size got bumped. But people that need the old smaller key size (like David in comment #11) need to have a way to drop back to the old key size. With haproxy and testssl I checked (again) Bionic as-is: updates (1.8.8-1ubuntu0.4) DH group offered: HAProxy (1024 bits) proposed (1.8.8-1ubuntu0.5): DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits) proposed (1.8.8-1ubuntu0.5) + seclevel 0/1 config: :-/ I Failed to convince haproxy from using any config in that regard. Tried several combinations of "CipherString = DEFAULT@SECLEVEL=0" in /etc/ssl/openssl.cnf Tried to get it into /etc/haproxy/haproxy.cfg But none worked to get the key size down This might be my lack of haproxy experience. I tried some combinations that came to my mind and asked in the IRC channel or haproxy, but got no response. If someone could take a look that knows haproxy better. Maybe we can release this fix for TLSv1.3 IF there is a configuration workaround for the few people that need the small (vulnreable) key size. [1]: https://lists.ubuntu.com/archives/ubuntu- devel/2019-October/040814.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841936 Title: Rebuild haproxy with openssl 1.1.1 will change features (bionic) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1841936/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
