>> You can use your own dhparam by appending it to the file specified with >> the crt command, after your certificate chain and key. > > Well, I meant globally, as default. > > global > tune.ssl.default-dh-param /path/to/custom/dhparams.pem
I don't think it's possible right now, but it should not be too hard to add this feature. > 2048 was just an example. There is 1024 and IIRC 768 as well. One might > be forced to use 1024. > Also, according to the documentation HAProxy wouldn't allow/use anything > greater than tune.ssl.default-dh-param which is 1024 by default - unless > I misunderstood something. If you add a custom group to your certificate file, it will override the default-dh-param configuration. The default-dh-param has been added to provide a default group when no custom one has been provided. Maybe the documentation is not very clear on this point (sorry about that). - No custom group in the certificate file, tune.ssl.default-dh-param not specified or set to 1024 => The default Oakley group 2 (1024) is used - No custom group in the certificate file, tune.ssl.default-dh-param is set to 2048 => the 2048-bit MODP group 14 will be used, except if the certificate has a RSA key smaller than 2048-bit, then Oakley group 2 (1024) is used - No custom group in the certificate file, tune.ssl.default-dh-param is set to 4096 => the 4096-bit MODP group 16 will be used, except if the certificate has a RSA key smaller than 4096-bit but larger or equal to 2048, then 2048-bit MODP group 14 is used. If the key is smaller than 2048, then Oakley group 2 (1024) is used. - No custom group in the certificate file, tune.ssl.default-dh-param is set to 8192 => the 8192-bit MODP group 18 will be used, with the same exceptions than previously. - A custom group is set in the certificate file, no matter what the tune.ssl.default-dh-param is set to, no matter the size of the RSA key in your certificate, no matter the size of the custom group, this custom group is used. -- RĂ©mi
signature.asc
Description: OpenPGP digital signature