I found this example for apache2:
SSLCipherSuite @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Which reads similar to the default haproxy config:
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
now modified to
ssl-default-bind-ciphers @SECLEVEL=0:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
But even that (along all the other combinations that felt even less appropriate) worked.
I always get the 2048 bit key now :-/
haproxy IRC replied (thanks) in the meantime and suggested [1] so I'm giving that a try now ...
I found this example for apache2: 2:kEECDH: kRSA:kEDH: kPSK:kDHEPSK: kECDHEPSK: -aDSS:- 3DES:!DES: !RC4:!RC2: !IDEA:- SEED:!eNULL: !aNULL: !MD5:-SHA384: -CAMELLIA: -ARIA:- AESCCM8
SSLCipherSuite @SECLEVEL=
Which reads similar to the default haproxy config: bind-ciphers ECDH+AESGCM: DH+AESGCM: ECDH+AES256: DH+AES256: ECDH+AES128: DH+AES: RSA+AESGCM: RSA+AES: !aNULL: !MD5:!DSS
ssl-default-
now modified to bind-ciphers @SECLEVEL= 0:ECDH+ AESGCM: DH+AESGCM: ECDH+AES256: DH+AES256: ECDH+AES128: DH+AES: RSA+AESGCM: RSA+AES: !aNULL: !MD5:!DSS
ssl-default-
But even that (along all the other combinations that felt even less appropriate) worked.
I always get the 2048 bit key now :-/
haproxy IRC replied (thanks) in the meantime and suggested [1] so I'm giving that a try now ...
[1]: https:/ /cbonte. github. io/haproxy- dconv/1. 7/configuration .html#3. 1-ssl-dh- param-file