Hi Christian,
On Thu, Apr 25, Christian Ruppert wrote:
>
> listen genlisten_10320-cust1.tls-tcp
> acl REQ_TLS_HAS_ECC req.ssl_ec_ext eq 1
> tcp-request content accept if { req_ssl_hello_type 1 } # Match
> Client SSL Hello
>
> use-server socket-10320-rsa if !REQ_TLS_HAS_ECC
> server socket-10320-rsa unix@/run/haproxy-10320-rsa.sock send-proxy-v2
>
> use-server socket-10320-ecc if REQ_TLS_HAS_ECC
> server socket-10320-ecc unix@/run/haproxy-10320-ecc.sock send-proxy-v2
Do you need this tcp frontend for just serving both rsa/ecc
certificates ?
If so I think haproxy can do this(with openssl >= 1.0.2) with crt keyword:
https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt
-Jarno
> listen genlisten_10320-cust1.tls
>
> bind unix@/run/haproxy-10320-rsa.sock accept-proxy user haproxy
> group root mode 600 ssl crt /etc/haproxy/test-rsa.pem alpn
> h2,http/1.1 process 3
> bind unix@/run/haproxy-10320-ecc.sock accept-proxy user haproxy
> group root mode 600 ssl crt /etc/haproxy/test-ecc.pem alpn
> h2,http/1.1 process 4-8
--
Jarno Huuskonen
