HAproxy SSL/TLS Warning: Setting tune.ssl.default-dh-param to 1024 by default
When we configure HAproxy we might see warning message as
[WARNING] 096/214815 (5805) : parsing [/etc/haproxy/haproxy.cfg:67] : 'bind 0.0.0.0:443' :
unable to load default 1024 bits DH parameter for certificate '/etc/haproxy/bundle.pem'.
, SSL library will use an automatically generated DH parameter.
[WARNING] 096/214815 (5805) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
HAProxy server is defaulting to a 1024 bit Diffie-Hellman parameter
HAProxy includes a command that can examine and validate its configuration files. You can use the command to check for syntax errors or invalid settings without restarting HAProxy
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
If your server is configured with SSL/TLS and does not have a tune.ssl.default-dh-param set, then you will receive the above warning.
Resolving the Warning
Generate a dhparams.pem file using the OpenSSL utility. Once the file is created, you’ll add it to your global HAProxy configuration section so that any frontend blocks will inherit the setting.
Resolving the Warning
Generate a dhparams.pem file using the OpenSSL utility. Once the file is created, you’ll add it to your global HAProxy configuration section so that any frontend blocks will inherit the setting.
openssl dhparam -out /etc/haproxy/dhparams.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................+...........................................................................................................................................+....................................................+...................................+....................................................................................................................................................................................................+..........................................
Edit the haproxy configuration file and add a new line.
vi haproxy.cfg
Now add a line after the ssl-default-server-ciphers PROFILE=SYSTEM line like this:
ssl-dh-param-file /etc/haproxy/dhparams.pem
tune.ssl.default-dh-param 2048Now validate the haproxy configuration file and it should show valid.
# haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid
Post a Comment
Post a Comment