Hi Rémi, On Thu, May 21, 2015 at 11:19:15PM +0200, Remi Gacogne wrote: > > Hi Hervé, > > On 05/21/2015 10:11 PM, Hervé Commowick wrote: > > > I encounter a problem with dhparam configuration, if i have 2 bind lines, a > > tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the > > pem file, ALL bind lines will use 1024, the one with the custom group will > > work as expected, and the one without will use the default Oakley group 2 > > instead of the 2048-bit MODP group 14 (thx Remi for the wording, i'm not > > sure to well understand all of that :)) > > > > this is clearly a bug amha, thx anyone who can help (Remi ? :) ) > > Oh, this is a bug indeed, and it's my fault. In order to prevent the > display of warning messages about default-dh-param not being set when a > static DH group value is used, the value of default-dh-param is > overridden when a static DH group value is found. It does work when you > have only one bind, but it's clearly wrong when more than one is used, > like in your configuration. > > Could you try with the attached patch? It's a patch against the 1.6 > trunk but it does apply cleanly against 1.5.12. > > It will result in false positive messages about default-dh-param not > being set when it's not needed, but to prevent that we will need to > check if each bind has a static DH group value, which I'm not very fond of.
I think we could proceed differently then : if no global dhparam is set when parsing the bind line *and* no dhparam is set in the file, then we should set it and emit the warning at this moment. Or alternatively, we could even just set the global param from the bind line when it was not set. Willy
