Hi, On Wed, Jun 24, Willy Tarreau wrote: > On Tue, Jun 23, 2015 at 06:07:43PM +0000, Dave Zhu (yanbzhu) wrote: > > Hello all, > > > > I have a proposed enhancement that I have coded up and would like your > > comments. > > > > The idea behind this is that when HAProxy is used to terminate SSL, and is > > configured with multiple certificates/keys with different key types (RSA, > > ECDSA, DSA), it only serves up the first cert/key loaded in the config > > (unless SNI is used). This means that if a client were to prefer ECDSA over > > RSA, even if HAProxy has an ECDSA certificate, it will use the RSA > > certificate. My proposed enhancement is that HAProxy switch the CTX that?s > > used, based on the clients? choice of cipher-suites as well as the locally > > available certificates/keys. > > > > Currently, I?ve coded it so that this only happens when the client does not > > specify an SNI, but I?m looking for guidance on what you would consider to > > be > > the best solution. This approach can certainly be taken to be compatible > > with > > SNI. > > > > Is this something that you would be interested in folding into the codebase? > > Well, you explained what it does but not the purpose. In what does this > constitute an improvement, for what use case ? Does it fix a connection > trouble for some clients, or does it improve security and/or performance ?
My understanding is that with this you could have both ECC(https://www.digicert.com/ecc.htm / https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/) and RSA certificate for your site and haproxy would decide (based on client preferred cipher suite) to send ECC or RSA server cert. For example chrome on my laptop tries to use tls1.2 and these cipher suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_WITH_AES_128_GCM_SHA256 ... So in this case chrome prefers ECDHE_ECDSA -> send ECC certificate. And if the browser would prefer: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ... -> send RSA certificate. -Jarno -- Jarno Huuskonen
