On Wed, May 06, 2020 at 07:59:55PM +0200, Willy Tarreau wrote: > Hi all, > > while running on a trivial test config in which I had enabled > "zero-warning", my process refused to start due to the good old > warning "Setting tune.ssl.default-dh-param to 1024 blah blah". > > I was almost certain we discussed about switching the default value > to 2048 for 2.0 or 2.1 but couldn't find any trace of this, so I must > have dreamed or discussed it in person. I've run a quick check on the > configs shared on the list over the last two years and found this: >
I recall a discussion where the default openssl.cnf in some distribution was denying a DH lower than 2048. You probably think about this one. > $ tail -c80m Mail/lists/haproxy-ml | grep -o 'tune.ssl.default-dh-param[ > ]\+[0-9]\+' | awk '{print $1,$2}' |sort|uniq -c|sort -n > 1 tune.ssl.default-dh-param 4096 > 13 tune.ssl.default-dh-param 1024 > 86 tune.ssl.default-dh-param 2048 > > Thus it seems that the vast majority of users (exactly 86%) prefer to > use 2048 which is also the one recommended in the warning. All I found > on the subject was in fact added to the doc by RĂ©mi who implemented the > tunable 6 years ago (commit f46cd6e4ec), and he warned: > > values greater than 1024 bits are not supported by Java 7 and > earlier clients > > Do we still really care given how old this is now and that users can > still force the value if they absolutely need it ? > > As such I think it's about time we change the default value to 2048 and > get rid of this annoying warning before 2.2 gets released (and at the > same time 86% of the users will be able to remove one cryptic line in > their config). This way those who don't know/need it will be more > secure by default and those who need it will still be able to. > > Does anyone have any objection or alternate recommendation ? > > Thanks, > Willy I'm fine with that, most people use at least a value of 2048 because of the warning, their modern distribution will probably deny a lower value, and we add this warning a long time ago. -- William Lallemand