On Mon, Nov 30, 2015 at 04:20:15PM -0800, Bryan Talbot wrote: > On Mon, Nov 30, 2015 at 3:32 PM, Olivier Doucet <[email protected]> wrote: > > > Hello, > > > > I'm digging out this thread, because having multiple certificate for one > > single domain (SNI) but with different key types (RSA/ECDSA) can really be > > a great functionality. Is there some progress ? How can we help ? > > > > > I'd love to see better support for multiple certificate key types for the > same SNI too. > > That said, it is possible to serve both EC and RSA keyed certificates using > haproxy 1.6 now. See > http://blog.haproxy.com/2015/07/15/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ > for details. It's not exactly pretty but it does seem to work.
Sure, it was an efficient solution : simple to implement and reliable. But now we clearly need to finish the work that was started a few months ago on the subject. > > A subsidiary question is : how much ECDSA certificates are supported ? So > > if I use a single ECDSA certificate, how many people wont be able to see my > > content ? > > > > > > > They're pretty well supported by modern clients. Exactly what that means is > a bit fuzzy though: see > https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_and_ECDHE_support for > additional details. > > If your clients are all "modern" browsers and mobile devices, you're > probably good. If there are old clients, or other systems calling an API > there can be issues especially if they are using Java <= 7. I recently stumbled on a site (which I forgot) which reported that about 75% of their visitors support ECDSA. So in short, if we can divide the CPU usage by 20 for 75% of the visitors, that's roughly a 3.5x performance improvement to be expected, that would be nice! Regards, Willy
