Feature #8869
open
HAproxy should use RFC 7919 DH parameter files
Added by Stéphane Lapie about 6 years ago.
Updated about 6 years ago.
Description
It would be really nice to have a UI option to generate a custom DH parameter file for HAproxy to use.
The original option is this :
ssl-dh-param-file /dir/file
- Subject changed from HAproxy custom DH parameter file to HAproxy should use RFC 7919 DH parameter files
It should not let you use a self-generated DH parameter file, but use the stock system DH parameter files which are from RFC 7919. See #8582
It only appears to specify the length now, instead of pointing to the files pfSense has for the above mentioned DH groups
I understand the intent behind the stock DH parameter files, however some SSL testers raise known DH parameters as something that could be improved. This was my reason for looking into this initially.
As a side-note for future reference if it may help someone, here is what I did on some test pfSense machines :
This ensures the file is eventually generated (it might take a while, yes), even after restoring the pfSense configuration elsewhere.
Accommodating SSL testers that have no concept of proper security procedures isn't something we should aspire to do. It doesn't matter if they flag something that is more secure than they expect. If they question it, point them to the RFC that says this is the best practice.
Using custom DH parameters will be less secure, not more. Following bad advice to pass a scan is, well, bad. Don't let them get away with that.
Understood.
I now remember where I had stumbled upon this idea in the first place, it goes back to a few years back when it was found out that some older OS/SSL library/software combinations only had 1024 bits DH parameters, and you had to explicitly have said software load manually generated parameters to work around this.
I now understand that HAproxy is completely unaffected by this because it has its own set of parameter files for whatever size you might require.
Though, in that regard then, the HAproxy documentation stating the following is a bit misguiding :
Custom parameters are known to be more secure and therefore their use is recommended.
Custom DH parameters may be generated by using the OpenSSL command "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH parameters should not be considered secure anymore.
Sorry for the trouble, and thanks for your patient explanation.
Also available in: Atom
PDF
Updated by 
Updated by