Hi All,
I saw some traffic on the list from Guillaume and others about this, but I
thought i'd confirm a real world production use of a GoDaddy[1] SSL
certificate (which requires an intermediate certificates for some use
cases, specifically Java applications).
I used the following line in haproxy.cfg:
bind :443 ssl crt /path/to/domain.com.crt ca-file /path/to/ca.pem
ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
In /path/to/domain.com.crt, I have
My private key (the one used to generate the CSR)
The final certificate for my domain (downloaded from the provider)
The intermediate certificate (from the .zip file with the CA bundle
provided by godaddy)
In /path/to/ca.pem I just took the gd_bundle file provided by GoDaddy.
I took the ciphers restriction from an exceliance blog post[2]; it seems to
effectively shut up the BEAST attack alerts on teh SSL checker websites.
I found the utility at https://www.digicert.com/util/ and the online check
at https://www.ssllabs.com/ssltest/ super useful.
I wonder if it might be helpful to ammend the "crt <cert>" documentation to
say that Intermediate certificates should be loaded with this (either with
multiple crt lines, or concatenation as it already says). This was not
obvious to me, and I spent some time failing to get it working using the
intermediate certificate within the SSL.
I have said it before, but i'd like to say it again - HAProxy is awesome,
and the removal of one more chain in the link is fantastic. Thanks guys!
Thanks,
-Alex
[1] Godaddy ask you to choose your type of SSL provider. I selected "nginx"
as I have used that before, but for some reason it does not provide the
intermediate certificate in this case. Select Apache Tomcat to get a zip
file with both gd_bundle and the intermediate Cert.
[2]
http://blog.exceliance.fr/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
