]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 528b3fd) | patch
MEDIUM: ssl: Disable DHE ciphers by default
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>
Tue, 12 Apr 2022 09:31:55 +0000 (11:31 +0200)
committerWilliam Lallemand <wlallemand@haproxy.org>
Wed, 20 Apr 2022 15:30:55 +0000 (17:30 +0200)
commit1d6338ea9677bb08812bfa4dfa5e68e84ed0feaf
treeef0ebf4439afe2e8e5863a544ab442353b1cfe8atree | snapshot
parent528b3fd9bef74a408ae42fc2bd03c02ed3b45b52commit | diff
MEDIUM: ssl: Disable DHE ciphers by default

DHE ciphers do not present a security risk if the key is big enough but
they are slow and mostly obsoleted by ECDHE. This patch removes any
default DH parameters. This will effectively disable all DHE ciphers
unless a global ssl-dh-param-file is defined, or
tune.ssl.default-dh-param is set, or a frontend has DH parameters
included in its PEM certificate. In this latter case, only the frontends
that have DH parameters will have DHE ciphers enabled.
Adding explicitely a DHE ciphers in a "bind" line will not be enough to
actually enable DHE. We would still need to know which DH parameters to
use so one of the three conditions described above must be met.

This request was described in GitHub issue #1604.
doc/configuration.txt diff | blob | blame | history
include/haproxy/defaults.h diff | blob | blame | history
reg-tests/ssl/ssl_dh.vtc diff | blob | blame | history
src/ssl_sock.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git