Changed the Diffie Hellman parameter maximum size

This introduces the variable haproxy_ssl_dh_param

It sets the maximum size of the DH parameters used
for generating key in DHE key exchange.

Higher values increase CPU load but is more secure.

This value is ignored if static DH params are given
in cert file.

Change-Id: Idca02a8337fa3790ddfb849d9e2e87d60076c399
This commit is contained in:
Jean-Philippe Evrard 2015-09-17 16:23:47 +02:00 committed by Jesse Pretorius
parent 88c948c455
commit c9c6aa292b
2 changed files with 2 additions and 0 deletions

View File

@ -71,6 +71,7 @@ haproxy_bind_on_non_local: False
## haproxy SSL ## haproxy SSL
haproxy_ssl: no haproxy_ssl: no
haproxy_ssl_dh_param: 2048
haproxy_ssl_self_signed_regen: no haproxy_ssl_self_signed_regen: no
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
haproxy_ssl_key: /etc/ssl/private/haproxy.key haproxy_ssl_key: /etc/ssl/private/haproxy.key

View File

@ -10,6 +10,7 @@ global
maxconn 4096 maxconn 4096
tune.bufsize 384000 tune.bufsize 384000
stats socket /var/run/haproxy.stat level admin mode 600 stats socket /var/run/haproxy.stat level admin mode 600
{% if haproxy_ssl | bool %}tune.ssl.default-dh-param {{haproxy_ssl_dh_param}}{% endif %}
defaults defaults
log global log global