> In HAProxy, this flag is currently statically disabled by default in > src/ssl_sock.c line 2539. Thus, when used with older OpenSSL versions > than 1.0.1r or 1.0.2f, users could be vulnerable.
I don't see it. Can you please elaborate what exact commit ID your are refering to? As far as I an see we do the exact opossite of what you are saying (enabling SSL_OP_SINGLE_DH_USE unconditionally). Lukas