Prior to Update:
E: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
D: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
B: DH group offered: HAProxy (1024 bits)
=> D+E on wrong defaults!
With tuning to specific key (2048):
tune.ssl.default-dh-param 2048
E: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
D: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
B: DH group offered: HAProxy (2048 bits)
=> E+D ignore the config!
## Post Update ##
E: DH group offered: HAProxy (1024 bits)
D: DH group offered: HAProxy (1024 bits)
B: DH group offered: HAProxy (1024 bits)
=> E+D back on the expected default
=> B not broken by rebuild
With tuning to specific key (2048):
tune.ssl.default-dh-param 2048
E: DH group offered: HAProxy (2048 bits)
D: DH group offered: HAProxy (2048 bits)
B: DH group offered: HAProxy (2048 bits)
=> E+D: Config now works
=> B not broken by rebuild
Also on Bionic now (for the initial TLSv1.3 request):
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
...
Thanks to David for the extended test with a real configuration!
Marking this verified
Prior to Update:
E: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
D: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
B: DH group offered: HAProxy (1024 bits)
=> D+E on wrong defaults!
With tuning to specific key (2048): default- dh-param 2048
tune.ssl.
E: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
D: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
B: DH group offered: HAProxy (2048 bits)
=> E+D ignore the config!
## Post Update ##
E: DH group offered: HAProxy (1024 bits)
D: DH group offered: HAProxy (1024 bits)
B: DH group offered: HAProxy (1024 bits)
=> E+D back on the expected default
=> B not broken by rebuild
With tuning to specific key (2048): default- dh-param 2048
tune.ssl.
E: DH group offered: HAProxy (2048 bits)
D: DH group offered: HAProxy (2048 bits)
B: DH group offered: HAProxy (2048 bits)
=> E+D: Config now works
=> B not broken by rebuild
Also on Bionic now (for the initial TLSv1.3 request):
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
...
Thanks to David for the extended test with a real configuration!
Marking this verified