As a temporary solution, i have decided to use a custom DH param for each bind, but anyway, this clearly need a fix :)
Hervé. On Fri, May 22, 2015 at 6:14 AM, Willy Tarreau <w...@1wt.eu> wrote: > Hi Rémi, > > On Thu, May 21, 2015 at 11:19:15PM +0200, Remi Gacogne wrote: > > > > Hi Hervé, > > > > On 05/21/2015 10:11 PM, Hervé Commowick wrote: > > > > > I encounter a problem with dhparam configuration, if i have 2 bind > lines, a > > > tune.ssl.default-dh-param 2048, and a custom group dhparam in one of > the > > > pem file, ALL bind lines will use 1024, the one with the custom group > will > > > work as expected, and the one without will use the default Oakley > group 2 > > > instead of the 2048-bit MODP group 14 (thx Remi for the wording, i'm > not > > > sure to well understand all of that :)) > > > > > > this is clearly a bug amha, thx anyone who can help (Remi ? :) ) > > > > Oh, this is a bug indeed, and it's my fault. In order to prevent the > > display of warning messages about default-dh-param not being set when a > > static DH group value is used, the value of default-dh-param is > > overridden when a static DH group value is found. It does work when you > > have only one bind, but it's clearly wrong when more than one is used, > > like in your configuration. > > > > Could you try with the attached patch? It's a patch against the 1.6 > > trunk but it does apply cleanly against 1.5.12. > > > > It will result in false positive messages about default-dh-param not > > being set when it's not needed, but to prevent that we will need to > > check if each bind has a static DH group value, which I'm not very fond > of. > > I think we could proceed differently then : if no global dhparam is set > when parsing the bind line *and* no dhparam is set in the file, then we > should set it and emit the warning at this moment. Or alternatively, > we could even just set the global param from the bind line when it was > not set. > > Willy > >
