Hello Dave, On Tue, Jun 23, 2015 at 06:07:43PM +0000, Dave Zhu (yanbzhu) wrote: > Hello all, > > I have a proposed enhancement that I have coded up and would like your > comments. > > The idea behind this is that when HAProxy is used to terminate SSL, and is > configured with multiple certificates/keys with different key types (RSA, > ECDSA, DSA), it only serves up the first cert/key loaded in the config > (unless SNI is used). This means that if a client were to prefer ECDSA over > RSA, even if HAProxy has an ECDSA certificate, it will use the RSA > certificate. My proposed enhancement is that HAProxy switch the CTX that?s > used, based on the clients? choice of cipher-suites as well as the locally > available certificates/keys. > > Currently, I?ve coded it so that this only happens when the client does not > specify an SNI, but I?m looking for guidance on what you would consider to be > the best solution. This approach can certainly be taken to be compatible with > SNI. > > Is this something that you would be interested in folding into the codebase?
Well, you explained what it does but not the purpose. In what does this constitute an improvement, for what use case ? Does it fix a connection trouble for some clients, or does it improve security and/or performance ? I must say I don't really understand the purpose. Maybe you and/or Olivier who would like this as well and/or anyone else could put some insights here ? Thanks, Willy
