Comment 11 for bug 1841936
Revision history for this message
| David Hedberg (david-hedberg-t) wrote Re: Rebuild haproxy with openssl 1.1.1 will change features (bionic) | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I have done some preliminary testing with 1.8.8-1ubuntu0.5, and most things look good.
However, in our case we have an old (external) client using java6 that we sadly still need to support for a while longer. Using the connection simulation in testssl.sh (and also ssllabs) I can see that connections from java6 now fails with our configuration where it previously succeeded.
I suspect that this is not (directly) related to TLSv1.3. The problem with java6 is usually that it only supports dh parameters with 1024 bits (and TLSv1.0).
According to testssl.sh the dh-parameters offered now is:
DH group offered: RFC3526/Oakley Group 15 (3072 bits)
Before the upgrade it was:
DH group offered: HAProxy (1024 bits)
I have tried generating custom dh parameters with 1024 bits and specifying them both with the default ssl-dh-param-file setting and directly in the certificate file. I have also tried disabling TLSv1.3 (using no-tlsv13). Neither seem to help.