On 12/02/2015 08:17 PM, Dave Zhu (yanbzhu) wrote: > Hello all, > > I¹ve written up Willy and Emeric¹s proposal and it seems to test fine, at > least from a functionality standpoint. > > I would appreciate it if interested parties would beat on this harder than > I did to work out kinks. > > To recap for those that are new: > > You can now specify <path_to_cert> as a crt or a crt-list entry, but > <path_to_cert> will not actually exist. Instead, there will be > <path_to_cert>.rsa, <path_to_cert>.ecdsa and/or <path_to_cert>.dsa. The > code will load what¹s available and create (up to) 7 unique SSL_CTX with > the correct sets of keys and certs. It then adds these to the SNI lookup > tree, and sets a default context if one has not been set. > > A couple of things to note: > > 1) The default context will be set to the SSL_CTX that contains the set of > most oftenly used key formats. So currently, it will prefer contexts that > contain RSA, ECDSA then DSA in that order. SSL_CTX¹s with more key types > will be preferred over SSL_CTX¹s with fewer key types. > 2) The code for processing the CN/SAN¹s is quite complex. I¹ve added as > many comments as I thought was needed, but it still is not simple to read. > The logic though is simple: > > - Load info of each crt entry. > - Iterate through all CN/SAN entries and map each entry to which key types > contain it > - Iterate through list of entries to create the requisite SSL_CTX¹s and > add the SSL_CTX to the sni_tree based on the current CN/SAN > > Time to process is O(N) where N=# of CN/SANs. > > In the interest of not clogging up everyone¹s inboxes, I¹ve put the > patches on pastebin, let me know if that works. > > Patch 1 - http://pastebin.com/B9KXnEZN > Patch 2 - http://pastebin.com/qFXq2Pbe > Patch 3 - http://pastebin.com/F9Y1N2YN > > Please take a look. > -Dave > > > On 12/1/15, 10:09 AM, "Willy Tarreau" <[email protected]> wrote: > >> Hi Dave, >> >> On Tue, Dec 01, 2015 at 03:04:21PM +0000, Dave Zhu (yanbzhu) wrote: >>> I apologize for not responding sooner, I was waiting for more comments >>> before >>> starting implementation, then this fell off my radar when other >>> responsibilities picked up. >> >> No problem, we're all in the same situation, don't worry! >> >>> I???ve got some downtime and can start working on Willy???s proposal, >>> if that >>> will meet the requirements of the people here. >> >> That would be awesome! That said, don't put yourself under pressure, >> yes it's something that people would love to have but don't stop all >> your activities for this. I tend to think that there are people >> volunteering for testing here given the demand, so do not hesitate >> to post preview patches as you did initially. >> >> Cheers, >> willy >> > >
Hi Dave, Thank you, now the feature is clearly less intrusive. But i notice some inconsistencies. Patch2 (crt conf keywoard): If the file without key extension is present, this file is loaded but also the multi_load is called. However in Patch3 (crt-list) If the file without key extension is present, this file is loaded but the multi_load is NOT called. There is a lot indentation issues in patch 2 In patch 2 it remains a FIXME comment: // YANBZHU: FIXME R, Emeric
