❦ 22 juillet 2019 15:19 -05, April King <ap...@mozilla.com>: > I would also strongly suggest bundling the RFC 7919 2048-bit > Diffie-Hellman parameters file in the haproxy debian package as well.
For this part, I remember that in the past, it was better to have custom DH parameters than widely used one. I don't quite understand what has changed since. HAProxy did move away from DH params provided by RFC for this reason. See: <https://github.com/haproxy/haproxy/commit/d3a341a96fb6107d2b8e3d7a9c0afa2ff43bb0b6> I've update the cipher list for bind only: <https://salsa.debian.org/haproxy-team/haproxy/commit/67f1fddaf24367afb5455b93401d11ae2fbf4f31> It seems less important for servers to specify ciphers. We didn't do it previously and I wouldn't want to break someone setup with such a change (even if they are notified of it) as it is more likely to have apps supporting only TLSv1.0 internally. -- Use the fundamental control flow constructs. - The Elements of Programming Style (Kernighan & Plauger)
signature.asc
Description: PGP signature
