On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman < [email protected]> wrote:
> Hi HAProxy users list, > > I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin (12.04). > I have confirmed that it was compiled with OpenSSL support built in. > > I have configured an SSL backend thusly: > > bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file > /etc/ssl/private/secondmarket.ca.pem ciphers > EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 > > launching haproxy under strace provides no indication that it made an > attempt to read the ca-file (although you can clearly see it loading the > crt file). strace output is here: http://pastebin.com/RDgAug7E > > Does anyone know why the ca-file directive is being ignored? Shall I > upgrade? > ca-file is used when validating client certificates. Do you configure anything that requires or expects clients to present a valid certificate? -Bryan
