Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 47783ef05b3516d3ef7d590a772c859d36d54f61^! / . / doc / configuration.txt
commit47783ef05b3516d3ef7d590a772c859d36d54f61[log] [tgz]
authorRemi Gacogne <rgacogne@aquaray.fr>Fri May 29 15:53:22 2015 +0200
committerWilly Tarreau <w@1wt.eu>Sun May 31 22:02:00 2015 +0200
tree15bcffe74dd97f39421ca85e2be600bb0cb3433b
parent79318d79ba584be4e39cb484be9916f85861d841 [diff] [blame]
MEDIUM: ssl: add the possibility to use a global DH parameters file

This patch adds the ssl-dh-param-file global setting. It sets the
default DH parameters that will be used during the SSL/TLS handshake when
ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
which do not explicitely define theirs.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9676643..655ede0 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -766,6 +766,20 @@
   default ssl-options to force on all "server" lines. Please check the "server"
   keyword to see available options.
 
+ssl-dh-param-file <file>
+  This setting is only available when support for OpenSSL was built in. It sets
+  the default DH parameters that are used during the SSL/TLS handshake when
+  ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
+  which do not explicitely define theirs. It will be overridden by custom DH
+  parameters found in a bind certificate file if any. If custom DH parameters
+  are not specified either by using ssl-dh-param-file or by setting them directly
+  in the certificate file, pre-generated DH parameters of the size specified
+  by tune.ssl.default-dh-param will be used. Custom parameters are known to be
+  more secure and therefore their use is recommended.
+  Custom DH parameters may be generated by using the OpenSSL command
+  "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
+  parameters should not be considered secure anymore.
+
 ssl-server-verify [none|required]
   The default behavior for SSL verify on servers side. If specified to 'none',
   servers certificates are not verified. The default is 'required' except if
@@ -1224,7 +1238,8 @@
   this maximum value. Default value if 1024. Only 1024 or higher values are
   allowed. Higher values will increase the CPU load, and values greater than
   1024 bits are not supported by Java 7 and earlier clients. This value is not
-  used if static Diffie-Hellman parameters are supplied via the certificate file.
+  used if static Diffie-Hellman parameters are supplied either directly
+  in the certificate file or by using the ssl-dh-param-file parameter.
 
 tune.zlib.memlevel <number>
   Sets the memLevel parameter in zlib initialization for each session. It