Hey Willy, Lukas explained it pretty well, but I can expound on it some more.
You can imagine a situation where HAProxy has 2 certificates of different key types; one ECDSA and one RSA. In the current codebase, if no SNI is used, the certificate that is used will be whichever certificate is the default (i.e. the one that is first specified in the config). So we would have 2 possible paths: 1. ECDSA was specified first. This has the effect of only supporting cipher suites that has ECDSA. If the client does not support ECDSA, then it would mean that the connection will fail, even though the server has an RSA certificate. 2. RSA was specified first. This means that ECDSA cipher suites would never be used, which can decrease performance for initial handshakes as well as have a negative security impact. What I propose would address both of these issues. If the client prefers RSA or only supports RSA, then the RSA certificate is presented. However, if the client supports ECDSA, then we would use the ECDSA certificate. Lukas, I believe the reason that apache calls out 1.0.2 is this line in the OpenSSL (1.0.1l to 1.0.2a) changelog: * Add support for certificate stores in CERT structure. This makes it possible to have different stores per SSL structure or one store in the parent SSL_CTX. Include distint stores for certificate chain verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN to build and store a certificate chain in CERT structure: returing(sic) an error if the chain cannot be built: this will allow applications to test if a chain is correctly configured. In openssl <= 1.0.1, we can load multiple certs/keys into a single SSL_CTX. However, they must all have the same cert-chain. I believe that this 1.0.2 feature addresses this issue via certificate stores, and so can then use the existing s3server cipher suite selection code to select the correct certificate/key inside the library. This would alleviate the need to hook into a callback, which is what I¹m doing here. The diff I submitted is coded to OpenSSL 1.0.1, and will still work in 1.0.2. The 1.0.2 change will make it easier to support this feature in combination with SNI. We¹ll have to discuss which approach we want to take going forward; 1.0.2 is still relatively young, and so requiring adopters to have that version may cause additional friction. -Dave On 6/24/15, 10:26 AM, "Lukas Tribus" <[email protected]> wrote: >>> Currently, I?ve coded it so that this only happens when the client >>>does not >>> specify an SNI, but I?m looking for guidance on what you would >>>consider to be >>> the best solution. This approach can certainly be taken to be >>>compatible with >>> SNI. >>> >>> Is this something that you would be interested in folding into the >>>codebase? >> >> Well, you explained what it does but not the purpose. In what does this >> constitute an improvement, for what use case ? Does it fix a connection >> trouble for some clients, or does it improve security and/or >>performance ? >> >> I must say I don't really understand the purpose. Maybe you and/or >>Olivier >> who would like this as well and/or anyone else could put some insights >>here ? > >Currently we mostly use RSA certificates. ECC (ECDSA) are different >certificates and >until RSA certificates are fully removed from the industry, we will have >to >support both. > >The change, if I understand correctly, allows serving the ECC/ECDSA >certificate >when the client supports it (via ciphers list), and RSA otherwise. > >Do we need this? Absolutely yes. But we will have to verify exactly whats >the >best way to do this, and how openssl can help with this. I believe >openssl 1.0.2 >introduces a new API which makes things simpler. > >Apache 2.4 can already do this, nginx not yet. > > >Some discussions and further informations: > >https://github.com/igrigorik/istlsfastyet.com/issues/38 >http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004376.html >https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-bet >ter-internet/ >https://blog.joelj.org/2015/06/19/dual-rsaecdsa-certificates-in-apache-2-4 >/ >https://securitypitfalls.wordpress.com/2014/10/06/rsa-and-ecdsa-performanc >e/ > > > >Regards, > >Lukas > >
