charm-haproxy

ssl_cert=SELFSIGNED and global_default_dh_param

Bug #2020439 reported by Marcus Boden on 2023-05-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	charm-haproxy	New	Undecided	Unassigned

Bug Description

When using the ssl_cert=SELFSIGNED and trying to set the global_default_dh_param, we ran into the issue, that we couldn't get the dh key size above 1024 even though we set global_default_dh_param to 4096.
Turns out that the parameter tries to match the cert key file, as mentioned here:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.default-dh-param

And our key wasn't recreated in quite a long time and was still at 1024 bits (although the default was already at 2048).
This resulted in the dh key sizes to be at 1024 bit and it was rather difficult to find the reason for it.

To create a new key, I had to delete it on the unit and run the config-changed hook manually. It then defaulted to 2048 (which was enough for me).

It would be helpful to either put out some warnings when using different key sizes like that, or at least put a note into the help text of the global_default_dh_param option. Additionally, an option to set the self-signed key size or an action to recreated would have been helpful.

See original description

Marcus Boden (marcusboden) on 2023-05-23

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.