Hi Willy, I've just sent a simple patch for this (sorry for the delay). While preparing this, I was not sure what the difference is between the block in section 5.2 (Server and default-server options) and the main documentation; it seems in the case of crt the former has the first few sentances and misses off the last few. Since i'm making teh crt block significantly longer, it seems silly to duplicate this - at the same time it would be a shame for someone to read the top version. I wonder if its worth mentioning that many of the settings are further explained, in more detail, lower down the file in section 4.2, but i've not included this in my patch because its possible i'm missing something!
I considered adding something mentioning the very useful tools in my email, but it seems wrong to signpost the ones I selected; I am far from an expert in this area. If there was a intro to SSL section in teh docs, i'd write something explaining that its important to check that non-SNI compliant browsers and ones with older root certificate databases (Java being the one that bit me - as PayPal use it for their API requests) rather than just testing in modern IE/Chrome/FF. But i'm not quite sure where to put this, so i've left it out; if you think this would be helpful i'd be very happy to add it. Thanks, Alex On Sun, Feb 10, 2013 at 10:23 PM, Willy Tarreau <[email protected]> wrote: > Hi Alex, > > On Sun, Feb 10, 2013 at 08:46:46PM +0000, Alex Davies wrote: > > Hi All, > > > > I saw some traffic on the list from Guillaume and others about this, but > I > > thought i'd confirm a real world production use of a GoDaddy[1] SSL > > certificate (which requires an intermediate certificates for some use > > cases, specifically Java applications). > > > > I used the following line in haproxy.cfg: > > > > bind :443 ssl crt /path/to/domain.com.crt ca-file /path/to/ca.pem > > ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM > > > > In /path/to/domain.com.crt, I have > > My private key (the one used to generate the CSR) > > The final certificate for my domain (downloaded from the provider) > > The intermediate certificate (from the .zip file with the CA bundle > > provided by godaddy) > > > > In /path/to/ca.pem I just took the gd_bundle file provided by GoDaddy. > > > > I took the ciphers restriction from an exceliance blog post[2]; it seems > to > > effectively shut up the BEAST attack alerts on teh SSL checker websites. > > > > I found the utility at https://www.digicert.com/util/ and the online > check > > at https://www.ssllabs.com/ssltest/ super useful. > > > > I wonder if it might be helpful to ammend the "crt <cert>" documentation > to > > say that Intermediate certificates should be loaded with this (either > with > > multiple crt lines, or concatenation as it already says). This was not > > obvious to me, and I spent some time failing to get it working using the > > intermediate certificate within the SSL. > > > > I have said it before, but i'd like to say it again - HAProxy is awesome, > > and the removal of one more chain in the link is fantastic. Thanks guys! > > Thank you for the informative feedback. You're right, if it took you some > time to figure how to do this, then the doc needs to be updated. Could you > propose some prose that you think would have helped you ? That would be > really great. Do you think it would also be worth adding some scripts in > the contrib/ directory to better handle the certificates concatenation > into a single file ? Or maybe to check some certs, I don't know. You surely > have ideas after all the tests you've performed ! > > > Thanks, > > > > -Alex > > > > [1] Godaddy ask you to choose your type of SSL provider. I selected > "nginx" > > as I have used that before, but for some reason it does not provide the > > intermediate certificate in this case. Select Apache Tomcat to get a zip > > file with both gd_bundle and the intermediate Cert. > > This could go into the doc as well, until they add "haproxy" :-) > > Cheers, > Willy > > -- Alex Davies This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately by e-mail and delete this e-mail permanently.
