Re: PEM Certificates for HAproxy
On 29 Apr, Shawn Heisey wrote: > I know that a fresh install can be instantly operational with TLS, > suggesting that it is not generating them on the fly ... so I really wonder > how secure the default params are. I wonder what is being used when there > are no params in the cert file. Does it get something hardcoded and use that > until params generated in the background can be swapped in? You'll want to have a look at this issue: https://github.com/haproxy/haproxy/issues/1604 Indeed HAProxy has default ones, and reading the issue and comments of Lukas you'll understand why DH params are a thing of the past (if you use modern ciphers), and why generating them yourself is not even that great to begin with. (I'm the author of the issue btw) Best, ~Nico
Re: PEM Certificates for HAproxy
On 4/29/22 12:42, Branitsky, Norman wrote: If you include the following in your HAProxy configuration global section you don't need to include DH Params in the certificate: tune.ssl.default-dh-param 2048 It takes several minutes to generate params, so I doubt that with that option that there would be different params for each certificate. It is my understanding that when they are included in the cert file, each cert can have different params. Part of my automated cert renewal process included generating brand new dh params. I know that a fresh install can be instantly operational with TLS, suggesting that it is not generating them on the fly ... so I really wonder how secure the default params are. I wonder what is being used when there are no params in the cert file. Does it get something hardcoded and use that until params generated in the background can be swapped in? Thanks, Shawn
Re: PEM Certificates for HAproxy
On 4/29/22 11:16, Henning Svane wrote: I have tried to build a PEM Certificate, but with no luck. What should it include and in which order? I use certs issued by LetsEncrypt. My certificate file that I use for haproxy and most other software doing TLS has four PEM-encoded items in it: Server cert LetsEncrypt Issuing cert Private Key DH Params The file is owned by root and has 600 permissions. The only thing that might be important there as far as order would be to have the server cert before the issuing cert. You do not normally need to include the CA's root certificate in the file -- the browser already has root certificates for any authority that it trusts ... that is how trust is established. Unless you created the cert yourself, what you want to have in your file is certs for the entire trust chain *EXCEPT* for the root cert. Most software will ignore DH Params in the certificate file. It is my understanding that haproxy actually uses it. So each cert file that I employ gets its own 4096 bit DH Params. My cert is also 4096 bit. Thanks, Shawn
PEM Certificates for HAproxy
Hi I have tried to build a PEM Certificate, but with no luck. What should it include and in which order? The PEM file from the Exchange Server include Attributes blocks, should these been removed from the Private PEM file? Here are all the certificates I have Also from DigiCert which certificate should I include * Intermediate Certificate * Root Certificate >From the Private Certificate I have * Private Certificate * Public Certificate Here is the Privat Certificate with the mention Attributes Blocks Bag Attributes Microsoft Local Key set: localKeyID: 01 00 00 00 friendlyName: xx-xx---- Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider Key Attributes X509v3 Key Usage: 10 -BEGIN PRIVATE KEY- (Private certificate has been removed) -END PRIVATE KEY- Bag Attributes localKeyID: 01 00 00 00 friendlyName: "friendly Name" subject=C = DK, L = Copenhagen, O = "Company name", CN = "Common name" issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 -BEGIN CERTIFICATE- (Certificate has been removed) -END CERTIFICATE- Regards Henning