Hi RĂ©mi, On Fri, May 22, 2015 at 09:11:39AM +0200, Remi Gacogne wrote: > Hello, > > On 05/22/2015 07:32 AM, Willy Tarreau wrote: > > > That makes me think about something, as you advocated a long time ago > > for increasing the dh-param default size. Do you think we should take > > the opportunity of 1.6 to increase the default size ? It will use more > > CPUs for people who migrate from 1.5 only, and such people are expected > > to run tests during the migration anyway so they should not be surprized. > > I think that would be great! We could alter the warning so that people > not explicitly setting the value in the configuration are aware that it > is now set to 2048.
Yes as well. > >> If you cannot increase the DH key size above 1024-bit, please at least > >> generate a custom DH group with the "openssl dhparam 2048" command, and > >> add the result of this command to your certificate file. > > > > Does that improve the situation regarding the CPU usage ? I must confess > > this is still very cryptic to me (no pun intended). > > Oh, I used the wrong group size on the openssl dhparam command, it > should have been: > > openssl dhparam 1024 > > Otherwise it makes no sense, sorry about that. ah ? > So yes, using a custom > 1024-bit DH group instead of the default Oakley group 2 makes it a lot > harder to do pre-computation while having no impact on the CPU usage. I think you have to realize that I don't understand anything at all here, I have no idea with an "Oakley group 2" is. I'm just a regular user when it comes to SSL. Is it the thing that is assigned by default when using "default-dh-param" ? In this case, does it mean that generating a random dh-param at boot would solve the issue ? Thanks! Willy