Hello,
I have couple of haproxy(1.5dev22 snapshot) ssl related questions:
Is it possible to use mod_ssl compatible "optional_no_ca" client
cert verify with haproxy:
- is it possible to use "ca-ignore-err" for this.
(I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca:
#define ssl_verify_error_is_optional(errnum) \
((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
|| (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
|| (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
|| (errnum == X509_V_ERR_CERT_UNTRUSTED) \
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
)
- so ca-ignore-err 18,19,20,27,21 should be same as "optional_no_ca" ?
- or is the correct keyword crt-ignore-err (or both :) ?
Is it possible to send the client certificate to backend server in header
(similar to mod_ssl +ExportCertData / nginx $ssl_client_cert):
- I think something like:
http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert]
- AFAIK currently there's no keyword / code for this ? But would it be
possible to add new smp_fetch_ssl_c_* function for this ?
(I might try to code it myself if this sounds reasonable ?)
- ssl offloading and nbproc:
- is nbproc > 1 recommended way to handle ssl offloading if one core
is not able to handle the load ?
- is it possible to use stick tables with nbproc > 1:
- for example bind-process 1-3 to ssl enabled frontends and
bind-process 4 for backends -> is it possible to use stick tables
on backends ?
- stick table peers with nbproc > 1 ?
Thanks,
-Jarno
