HAproxy SSL/TLS Warning: Setting tune.ssl.default-dh-param to 1024 by default


When we configure HAproxy we might see warning message as 


[WARNING] 096/214815 (5805) : parsing [/etc/haproxy/haproxy.cfg:67] : 'bind 0.0.0.0:443' :
  unable to load default 1024 bits DH parameter for certificate '/etc/haproxy/bundle.pem'.
  , SSL library will use an automatically generated DH parameter.
[WARNING] 096/214815 (5805) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.


HAProxy server is defaulting to a 1024 bit Diffie-Hellman parameter


HAProxy includes a command that can examine and validate its configuration files. You can use the command to check for syntax errors or invalid settings without restarting HAProxy

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

If your server is configured with SSL/TLS and does not have a tune.ssl.default-dh-param set, then you will receive the above warning.


Resolving the Warning

Generate a dhparams.pem file using the OpenSSL utility. Once the file is created, you’ll add it to your global HAProxy configuration section so that any frontend blocks will inherit the setting.

 openssl dhparam -out /etc/haproxy/dhparams.pem 2048

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................+...........................................................................................................................................+....................................................+...................................+....................................................................................................................................................................................................+..........................................


Edit the haproxy configuration file and add a new line.

vi haproxy.cfg
Now add a line after the ssl-default-server-ciphers PROFILE=SYSTEM line like this:

ssl-dh-param-file /etc/haproxy/dhparams.pem
tune.ssl.default-dh-param 2048

Now validate the haproxy configuration file and it should show valid.

# haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid



If you like please follow and comment