On 6/4/2015 9:54 AM, Willy Tarreau wrote: > I simply used "openssl dhparam <size>" as suggested, and am trusting > openssl to provide something reasonably safe since this is how every user > builds their own dhparam when they don't want to use the initial one.
I've been trying to read up on this vulnerability and how to prevent it. I admit that I'm having a hard time grasping everything. I decided to look for HOWTO information on mitigating the problem instead of trying to understand it. I found a preferred cipher list to use with haproxy, and the rest of the info I *think* can be summarized as "create a new dhparam of 2048 bits with openssl and append it to each PEM certificate file." https://weakdh.org/sysadmin.html#haproxy Is that right? If not, what exactly should I be doing? Thanks, Shawn
