At first it rejected my config : Oct 14 10:02:38 b haproxy[27966]: [ALERT] 286/100238 (27966) : parsing [/etc/haproxy/haproxy.cfg:22] : 'ssl-dh-param-file': unable to load DH parameters from file </etc/haproxy/ssl.cfg>. Oct 14 10:02:38 b haproxy[27966]: [ALERT] 286/100238 (27966) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Following the addition of the feature [1] I found [2]. From there I experimented with pem files. # Create small DH parameter: openssl dhparam -out /etc/haproxy/ssl.pem 1024 # Config haproxy to use that one in /etc/haproxy/haproxy.cfg: ssl-dh-param-file /etc/haproxy/ssl.pem But all of that seems like defining static DH params for haproxy. And the key used in PFS is about an "ephemeral DH key" right? I still struggle to convince haproxy to do what I want :-/ Everyone with more haproxy knowledge is welcome to give this a try ... [1]: https://www.mail-archive.com/[email protected]/msg18086.html [2]: https://www.openssl.org/docs/man1.0.2/man3/PEM_read_bio_DHparams.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841936 Title: Rebuild haproxy with openssl 1.1.1 will change features (bionic) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1841936/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
