On Thu, Oct 29, 2015 at 1:43 PM, Joseph Hammerman < [email protected]> wrote:
> Hi Brian, > > I am trying to issue the intermediate certificate so that my trust chain > is presented to the browser. Am I using the wrong directive for that > purpose? > Yes. The intermediate certs should go in the certificate file along with the private key. So, something like this in your case then: $> cat secondmarket.com.cert authority-intermediate.pem secondmarket.com.key > secondmarket.com.pem You might also want DH parameters in that file too if you enable DH key exchange ciphers. -Bryan > > Thanks, > Joe Hammerman > > On Thu, Oct 29, 2015 at 2:33 PM, Bryan Talbot <[email protected]> > wrote: > >> On Thu, Oct 29, 2015 at 10:39 AM, Joseph Hammerman < >> [email protected]> wrote: >> >>> Hi HAProxy users list, >>> >>> I am running HAProxy version 1.5.12-1 on Ubuntu Precise Pangolin >>> (12.04). I have confirmed that it was compiled with OpenSSL support built >>> in. >>> >>> I have configured an SSL backend thusly: >>> >>> bind 0.0.0.0:443 ssl crt /etc/ssl/private/secondmarket.com.pem ca-file >>> /etc/ssl/private/secondmarket.ca.pem ciphers >>> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 >>> >>> launching haproxy under strace provides no indication that it made an >>> attempt to read the ca-file (although you can clearly see it loading the >>> crt file). strace output is here: http://pastebin.com/RDgAug7E >>> >>> Does anyone know why the ca-file directive is being ignored? Shall I >>> upgrade? >>> >> >> >> ca-file is used when validating client certificates. Do you configure >> anything that requires or expects clients to present a valid certificate? >> >> -Bryan >> >> > > > ------------------------------------------------------------------------------ > > This message is intended only for the addressee. Please notify sender by > e-mail if you are not the intended recipient. If you are not the intended > recipient, you may not copy, disclose, or distribute this message or its > contents, in either excerpts or in its entirety, to any other person and > any such actions may be unlawful. SecondMarket Solutions, Inc. and it > subsidiaries ("SecondMarket") is not responsible for any unauthorized > redistribution. > > > Securities-related services of SecondMarket are provided through SMTX, LLC > (“SMTX”), a wholly owned subsidiary of SecondMarket and a registered broker > dealer and member of FINRA/SIPC. SMTX does not accept time sensitive, > action-oriented messages or transaction orders, including orders to > purchase or sell securities, via e-mail. SMTX reserves the right to > monitor and review the content of all messages sent to or from this e-mail > address. Messages sent to or from this e-mail address may be stored on the > SMTX e-mail system and archived in accordance with FINRA and SEC rules and > regulations. > > This message is intended for those with an in-depth understanding of the > high risk and illiquid nature of private securities and these assets may > not be suitable for you. This message does not represent a solicitation for > an order or an offer to buy or sell any security. There is not enough > information contained in this message with which to make an investment > decision and any information contained herein should not be used as a basis > for this purpose. SMTX does not produce in-house research, make > recommendations to purchase or sell specific securities, provide investment > advisory services, or conduct a general retail business. >
