Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 528b3fd9bef74a408ae42fc2bd03c02ed3b45b52
commit528b3fd9bef74a408ae42fc2bd03c02ed3b45b52[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Tue Apr 12 11:31:54 2022 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Wed Apr 20 17:30:52 2022 +0200
treeaf5f7cb55e096bfccbb679038eb75efce599b052
parent43041aaefd5d42092021161539c861894fbcfdc1 [diff]
MINOR: ssl: Use DH parameters defined in RFC7919 instead of hard coded ones

RFC7919 defined sets of DH parameters supposedly strong enough to be
used safely. We will then use them when we can instead of our hard coded
ones (namely the ffdhe2048 and ffdhe4096 named groups).
The ffdhe2048 and ffdhe4096 named groups were integrated in OpenSSL
starting with version 1.1.1. Instead of duplicating those parameters in
haproxy for older versions of OpenSSL, we will keep using our own
parameters when they are not provided by the SSL library.
We will also need to keep our 1024 bits DH parameters since they are
considered not safe enough to have a dedicated named group in RFC7919
but we must still keep it for retrocompatibility with old Java clients.

This request was described in GitHub issue #1604.
1 file changed
tree: af5f7cb55e096bfccbb679038eb75efce599b052
  1. .github/
  2. addons/
  3. admin/
  4. dev/
  5. doc/
  6. examples/
  7. include/
  8. reg-tests/
  9. scripts/
  10. src/
  11. tests/
  12. .cirrus.yml
  13. .gitattributes
  14. .gitignore
  15. .mailmap
  16. .travis.yml
  17. BRANCHES
  18. CHANGELOG
  19. CONTRIBUTING
  20. INSTALL
  21. LICENSE
  22. MAINTAINERS
  23. Makefile
  24. README
  25. ROADMAP
  26. SUBVERS
  27. VERDATE
  28. VERSION