Le lundi 10 septembre 2012 15:52:23 Willy Tarreau a écrit :
> Hi Guillaume,
>
> On Mon, Sep 10, 2012 at 03:46:26PM +0200, Guillaume Castagnino wrote:
> > Nice !
> >
> > Just set up on my personnal server with 2 wildcard certificates. It
> > seems to work like a charm :)
> >
> > I use this, TLSv1.2 enabled (so using openssl 1.0.1):
> > bind :::443 ssl crt /etc/ssl/startssl/haproxy/xwing.info.pem crt
> >
> > /etc/ssl/startssl/haproxy/ ciphers
> > ECDHE-RSA-AES128-SHA256:AES128-GCM-
> > SHA256:RC4:HIGH:!MD5:!aNULL:!EDH prefer-server-ciphers
>
> Nice, thank you for the feedback !
Just one precision on the cert.pem content, to achieve the best
compliance: it seems that haproxy is fine when feeding the full
certificate chain in the .pem file instead of only the the
certificate/private key pair (as suggest on the first SSL announce from
last week). This make clients that do certificate chain verification
happy:
So cert.pem contains:
- Server certificate
- Intermediate CA 1 certificate
- Intermediate CA 2 certificate
...
- Intermediate CA n certificate
- Root CA certificate
- Private key
Of course, the number of intermediate CA may change depending on the
certificate chain of the SSL provider (usually, there is just one
intermediate CA).
And this is just working flawlessly, making SSL nazis happy ;).
Thanks !
--
Guillaume Castagnino
[email protected] / [email protected]
