ECC certs don't work with your keychain since it only contains RSA based
ciphers and not ecdsa based ones.
Baptiste wrote on 8/12/2015 11:29:
On Wed, Aug 12, 2015 at 11:22 AM, Marc-Antoine
<[email protected]> wrote:
Hi all,
i'm trying to use an ECC certificate under haproxy without success :
* haproxy -vv
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.30 2012-02-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
* conf :
global
ssl-default-bind-ciphers
kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!RC4:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
frontend cluster2:443
bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt
/home/provisionning/cluster2.d
default_backend cluster2
any idea ?
--
Marc-Antoine
Hi,
Might be related to your Openssl version :/
Baptiste
