ssl_cert=SELFSIGNED and global_default_dh_param

Bug #2020439 reported by Marcus Boden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
charm-haproxy
New
Undecided
Unassigned

Bug Description

When using the ssl_cert=SELFSIGNED and trying to set the global_default_dh_param, we ran into the issue, that we couldn't get the dh key size above 1024 even though we set global_default_dh_param to 4096.
Turns out that the parameter tries to match the cert key file, as mentioned here:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.default-dh-param

And our key wasn't recreated in quite a long time and was still at 1024 bits (although the default was already at 2048).
This resulted in the dh key sizes to be at 1024 bit and it was rather difficult to find the reason for it.

To create a new key, I had to delete it on the unit and run the config-changed hook manually. It then defaulted to 2048 (which was enough for me).

It would be helpful to either put out some warnings when using different key sizes like that, or at least put a note into the help text of the global_default_dh_param option. Additionally, an option to set the self-signed key size or an action to recreated would have been helpful.

description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.