Hi Lukas,
On Sun, May 24, 2015 at 12:41:12PM +0200, Lukas Tribus wrote:
> > For 1024, what we could do :
> >
> > - in 1.6 : we wouldn't provide one anymore, which means that users could
> > only load it from a file they would generate if they need one ;
>
> You are implying that we will provide 2
>> Honestly, I'm opting for removing the DH fallback in haproxy altogether and
>> simple always warn when the certificate (or a dedicated DH file parameter
>> like
>> nginx does, which was requested earlier this week and makes sense) does not
>> have the DH parameters.
>
> I'm having a mixed opini
Hi Lukas,
On Sat, May 23, 2015 at 10:03:01AM +0200, Lukas Tribus wrote:
> > OK so now we need to find what to do in the end. From what I understood,
> > just removing the lines was a test and is not viable because we'll always
> > emit the warning, right ?
>
> Honestly, I'm opting for removing th
> OK so now we need to find what to do in the end. From what I understood,
> just removing the lines was a test and is not viable because we'll always
> emit the warning, right ?
Honestly, I'm opting for removing the DH fallback in haproxy altogether and
simple always warn when the certificate (or
On Fri, May 22, 2015 at 10:58:47AM +0200, Remi Gacogne wrote:
>
> > On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote:
> >> As a temporary solution, i have decided to use a custom DH param for each
> >> bind, but anyway, this clearly need a fix :)
> >
> > Did you test Rémi's patch t
> On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote:
>> As a temporary solution, i have decided to use a custom DH param for each
>> bind, but anyway, this clearly need a fix :)
>
> Did you test Rémi's patch to confirm the origin of the issue ?
It would be great if Hervé could conf
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d0f4d01..c5bd2f9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1076,10 +1076,6 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char
*file)
if (dh) {
ret = 1;
SSL_CTX_set_tmp_dh(ctx, dh);
-
Hey Willy,
I confirm his patch work as expected, it just need to be modified a bit to
apply on 1.5, but not a big deal.
Hervé.
On Fri, May 22, 2015 at 10:28 AM, Willy Tarreau wrote:
> Hi Hervé,
>
> On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote:
> > As a temporary solution, i
Hi Hervé,
On Fri, May 22, 2015 at 09:10:36AM +0200, Hervé Commowick wrote:
> As a temporary solution, i have decided to use a custom DH param for each
> bind, but anyway, this clearly need a fix :)
Did you test Rémi's patch to confirm the origin of the issue ?
I think it should probably be fixed
As a temporary solution, i have decided to use a custom DH param for each
bind, but anyway, this clearly need a fix :)
Hervé.
On Fri, May 22, 2015 at 6:14 AM, Willy Tarreau wrote:
> Hi Rémi,
>
> On Thu, May 21, 2015 at 11:19:15PM +0200, Remi Gacogne wrote:
> >
> > Hi Hervé,
> >
> > On 05/21/201
Hi Rémi,
On Thu, May 21, 2015 at 11:19:15PM +0200, Remi Gacogne wrote:
>
> Hi Hervé,
>
> On 05/21/2015 10:11 PM, Hervé Commowick wrote:
>
> > I encounter a problem with dhparam configuration, if i have 2 bind lines, a
> > tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
Hi Hervé,
On 05/21/2015 10:11 PM, Hervé Commowick wrote:
> I encounter a problem with dhparam configuration, if i have 2 bind lines, a
> tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
> pem file, ALL bind lines will use 1024, the one with the custom group will
> work as
12 matches
Mail list logo