In this tutorial you will learn how to troubleshoot and fix an HAProxy Setting tune.ssl.default-dh-param to 1024 by default
warning message using the methods described in the How to Troubleshoot Common HAProxy Errors tutorial at the beginning of this series. One you confirm that your server is generating the warning message, you will learn how to fix it by setting HAProxy’s ssl-dh-param-file
configuration option to use a custom dhparams.pem
file.
You may encounter an HAProxy Setting tune.ssl.default-dh-param to 1024 by default
warning message when your HAProxy server is configured with an SSL/TLS certificate and the tune.ssl.default-dh-param
parameter is not set in HAProxy’s haproxy.cfg
configuration file. When the parameter is not set, HAProxy will default to a value of 1024 bits for the Diffie-Hellman key agreement portion of the TLS handshake, which is considered insecure.
Your HAProxy server may trigger this warning without you knowing about it. You can configure an SSL/TLS certificate and HAProxy will run, but the server may be warning you about the issue in the background. If you aren’t sure whether your HAProxy server is defaulting to a 1024 bit Diffie-Hellman parameter, you can use a tool like the SSL Labs Server Test to check for you. If you receive a report that has a line This server supports weak Diffie-Hellman (DH) key exchange parameters
, then your HAProxy server is affected.
If you have already determined that your HAProxy server is generating a warning about the tune.ssl.default-dh-param
setting and you would like to skip troubleshooting, the Resolving a Secure tune.ssl.default-dh-param
Warning section at the end of this tutorial explains how to fix the issue.
tune.ssl.default-dh-param
Warning Using systemctl
Following the troubleshooting steps from the How to Troubleshoot Common HAProxy Errors tutorial at the beginning of this series, the first step when you are troubleshooting a Setting tune.ssl.default-dh-param to 1024 by default
warning message is to check HAProxy’s status with systemctl
.
The output from systemctl status
may contain all the diagnostic information that you need to resolve the error. However, it is important to examine the current status of the haproxy
service to ensure that it is running and that any services that rely on it are still able to function while you resolve the warning.
Use this systemctl
command to examine HAProxy’s status on any Linux distribution:
- sudo systemctl status haproxy.service -l --no-pager
The -l
flag will ensure that systemctl
outputs the entire contents of a line, instead of substituting in ellipses (…
) for long lines. The --no-pager
flag will output the entire log to your screen without invoking a tool like less
that only shows a screen of content at a time.
Since you are troubleshooting a Setting tune.ssl.default-dh-param to 1024 by default
warning message, you should receive output that is similar to the following:
Output● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-10-06 14:31:39 UTC; 2min 31s ago
Process: 71406 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=0/SUCCESS)
Main PID: 71407 (haproxy)
. . .
Oct 06 14:31:39 bb9fb4c53743 systemd[1]: Starting HAProxy Load Balancer...
Oct 06 14:31:39 bb9fb4c53743 haproxy[71407]: [WARNING] 279/143139 (71407) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind *:5000' :
Oct 06 14:31:39 bb9fb4c53743 haproxy[71407]: unable to load default 1024 bits DH parameter for certificate '/etc/haproxy/fullchain.pem'.
Oct 06 14:31:39 bb9fb4c53743 haproxy[71407]: , SSL library will use an automatically generated DH parameter.
Oct 06 14:31:39 bb9fb4c53743 haproxy[71407]: [WARNING] 279/143139 (71407) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Oct 06 14:31:39 bb9fb4c53743 haproxy[71407]: Proxy main started.
Oct 06 14:31:39 bb9fb4c53743 haproxy[71407]: Proxy static started.
Oct 06 14:31:39 bb9fb4c53743 haproxy[71407]: Proxy app started.
Oct 06 14:31:39 bb9fb4c53743 systemd[1]: Started HAProxy Load Balancer.
There are two important highlighted sections to note in this output. The first is the active (running)
line, which indicates that HAProxy is available and running. If your server shows a line like Active: failed
, then you will need to troubleshoot HAProxy using the methods described in the How to Troubleshoot Common HAProxy Errors tutorial at the beginning of this series.
The second set of highlighted lines are from the systemd
journal and contain the tune.ssl.default-dh-param
warning. These lines give you all the information about the warning, how it is triggered, the steps taken by HAProxy, and how to resolve it.
If your systemctl
output includes lines with the tune.ssl.default-dh-param
warning, then skip to the Resolving a tune.ssl.default-dh-param
Warning section at the end of this tutorial to learn how to configure HAProxy with a more secure value.
Otherwise if your systemctl
output does not give specific information about the warning, but you know that your server is using weak Diffie-Hellman parameters, the next section of this tutorial will guide you through using journalctl
logs to locate the warning message.
tune.ssl.default-dh-param
Warning Using journalctl
If your systemctl
output does not include a tune.ssl.default-dh-param
warning but you know that your server is affected, you should proceed with using the journalctl
command to examine systemd
logs for HAProxy.
Run the following command on any Linux distribution to inspect the systemd
journal’s logs for the haproxy
service:
- sudo journalctl -u haproxy.service -l --no-pager | grep tune.ssl.default-dh-param
The | grep tune.ssl.default-dh-param
portion of the command uses a pipe (|
) to send the output from journalctl
to the grep
command as input. Using the pipe means that only matching lines from the journal will be shown on your screen.
If the journal includes a tune.ssl.default-dh-param
warning, then you will receive output like the following:
OutputOct 06 14:31:39 bb9fb4c53743 haproxy[71407]: [WARNING] 279/143139 (71407) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Since this output includes the warning you can skip to the Setting a Secure tune.ssl.default-dh-param
Value section at the end of this tutorial to learn how to configure HAProxy with a more secure value.
If you do not receive any output after running the journaltcl
command, the next section will demonstrate how you can check for a tune.ssl.default-dh-param
warning using HAProxy’s built-in configuration checking tool.
tune.ssl.default-dh-param
Warning Using haproxy -c
or Log FilesHAProxy includes a command that can examine and validate its configuration files. You can use the command to check for syntax errors or invalid settings without restarting HAProxy and risking downtime for your services. Additionally, if your HAProxy server is configured to log output to a file or the system logs, you can examine the log files to check for a tune.ssl.default-dh-param
warning.
To check for a tune.ssl.default-dh-param
warning using HAProxy itself, run the following command on any Linux distribution. If your HAProxy configuration file is in a different location than the highlighted /etc/haproxy/haproxy.cfg
path, be sure to substitute in the correct path to your file:
- sudo haproxy -c -f /etc/haproxy/haproxy.cfg
If your server is configured with SSL/TLS and does not have a tune.ssl.default-dh-param
set, then you will receive warning output similar to the following:
Output[WARNING] 279/150829 (71512) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind *:5000' :
unable to load default 1024 bits DH parameter for certificate '/etc/haproxy/fullchain.pem'.
, SSL library will use an automatically generated DH parameter.
[WARNING] 279/150829 (71512) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Configuration file is valid
The highlighted line contains the tune.ssl.default-dh-param
warning.
To check for the warning message using HAProxy’s logs, you can search for lines that match the tune.ssl.default-dh-param
string using the grep
command. Run the following command to check for warnings:
- sudo grep tune.ssl.default-dh-param /var/log/haproxy.log
Note that if you have configured HAproxy with a different log location, be sure to substitute in your path in place of the highlighted /var/log/haproxy.log
file.
If your server is generating the warning, then you will receive output like the following:
OutputOct 6 14:31:39 bb9fb4c53743 haproxy[71407]: [WARNING] 279/143139 (71407) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Note: Your log files may not include the warning message, but the haproxy -c
command will still generate the warning. If this is the case, then it is likely that your HAproxy service has been running for long enough that the log file was rotated, so it does not include the warning.
Checking for the message using the haproxy -c
method is the most reliable way to determine if your server is affected, so you can safely disregard missing log file entries.
Now that you have determined whether your server is generating a tune.ssl.default-dh-param
warning, you can proceed to the next step in this tutorial, which explains two methods that you can use to resolve the issue.
tune.ssl.default-dh-param
WarningYou can resolve a tune.ssl.default-dh-param
warning in HAProxy with a few different settings. One option is to set the tune.ssl.default-dh-param
value to something larger than 1024 explicitly in /etc/haproxy/haproxy.cfg
per the warning message. However, the HAProxy documentation recommends specifying custom Diffie-Hellman parameters since that approach is more secure, so we’ll use that method instead.
First you’ll generate a dhparams.pem
file using the openssl
utility. Once the file is created, you’ll add it to your global HAProxy configuration section so that any frontend
blocks will inherit the setting.
To generate the custom DH parameters, run the following:
- sudo openssl dhparam -out /etc/haproxy/dhparams.pem 2048
You will receive output like the following:
OutputGenerating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............
Once the command completes, configure HAProxy to use the custom DH parameters file. Open /etc/haproxy/haproxy.cfg
in vi
or your preferred editor.
sudo vi /etc/haproxy/haproxy.cfg
Find the section in the file like the following:
Output. . .
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
#ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
Now add a line after the ssl-default-server-ciphers PROFILE=SYSTEM
line like this:
ssl-dh-param-file /etc/haproxy/dhparams.pem
The entire section should resemble the following, including the new highlighted ssl-dh-param-file
line that you added:
/etc/haproxy/haproxy.cfg. . .
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
#ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
ssl-dh-param-file /etc/haproxy/dhparams.pem
When you are done editing the file, save and close it by pressing ESC
, typing :wq
, and pressing ENTER
.
Test the configuration using the haproxy -c
command to ensure that you have added the correct setting and that HAProxy can access the custom dhparams.pem
file:
- sudo haproxy -c -f /etc/haproxy/haproxy.cfg
You should receive output stating that the configuration is valid like the following:
OutputConfiguration file is valid
If your configuration is valid, restart HAProxy so that it uses the new Diffie-Hellman parameters file:
- sudo systemctl restart haproxy.service
You have now configured HAProxy with a 2048 bit set of custom Diffie-Hellman parameters that all frontends will be able to use. You have also suppressed the tune.ssl.default-dh-param
warnings.
In this tutorial, you learned how to troubleshoot an HAProxy Setting tune.ssl.default-dh-param to 1024 by default
warning message. You explored four different methods to examine HAProxy’s configuration to find the message. First you used systemctl
and journalctl
to examine the status of the HAProxy server and try to find the message in the systemd
logs. Then you examined the HAProxy configuration file using the built in haproxy -c
configuration check. Finally you checked for log entries using the grep
command on HAProxy’s log file.
After you confirmed that your server was generating a Setting tune.ssl.default-dh-param to 1024 by default
warning message, you generated a custom Diffie-Hellman parameters file and configured HAProxy to use it by setting the ssl-dh-param-file
configuration directive.
Now that you have that configuration in place, your HAProxy server will default to using the more secure Diffie-Hellman parameters, and the tune.ssl.default-dh-param
warning message will no longer be in your logs.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This tutorial series explains how to troubleshoot and fix some of the most common errors that you may encounter when using the HAProxy TCP and HTTP proxy server.
Each tutorial in this series includes descriptions of common HAProxy configuration, network, filesystem, or permission errors. The series begins with an overview of the commands and log files that you can use to troubleshoot HAProxy. Subsequent tutorials examine specific errors in detail.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.