Hey Emeric, I’m in the process of cleaning up the patches, indentation and style so I’ll post up another set to the mailing list as Willy suggested.
-Dave On 12/3/15, 9:56 AM, "Emeric Brun" <[email protected]> wrote: >On 12/02/2015 08:17 PM, Dave Zhu (yanbzhu) wrote: >> Hello all, >> >> I¹ve written up Willy and Emeric¹s proposal and it seems to test fine, >>at >> least from a functionality standpoint. >> >> I would appreciate it if interested parties would beat on this harder >>than >> I did to work out kinks. >> >> To recap for those that are new: >> >> You can now specify <path_to_cert> as a crt or a crt-list entry, but >> <path_to_cert> will not actually exist. Instead, there will be >> <path_to_cert>.rsa, <path_to_cert>.ecdsa and/or <path_to_cert>.dsa. The >> code will load what¹s available and create (up to) 7 unique SSL_CTX with >> the correct sets of keys and certs. It then adds these to the SNI lookup >> tree, and sets a default context if one has not been set. >> >> A couple of things to note: >> >> 1) The default context will be set to the SSL_CTX that contains the set >>of >> most oftenly used key formats. So currently, it will prefer contexts >>that >> contain RSA, ECDSA then DSA in that order. SSL_CTX¹s with more key types >> will be preferred over SSL_CTX¹s with fewer key types. >> 2) The code for processing the CN/SAN¹s is quite complex. I¹ve added as >> many comments as I thought was needed, but it still is not simple to >>read. >> The logic though is simple: >> >> - Load info of each crt entry. >> - Iterate through all CN/SAN entries and map each entry to which key >>types >> contain it >> - Iterate through list of entries to create the requisite SSL_CTX¹s and >> add the SSL_CTX to the sni_tree based on the current CN/SAN >> >> Time to process is O(N) where N=# of CN/SANs. >> >> In the interest of not clogging up everyone¹s inboxes, I¹ve put the >> patches on pastebin, let me know if that works. >> >> Patch 1 - http://pastebin.com/B9KXnEZN >> Patch 2 - http://pastebin.com/qFXq2Pbe >> Patch 3 - http://pastebin.com/F9Y1N2YN >> >> Please take a look. >> -Dave >> >> >> On 12/1/15, 10:09 AM, "Willy Tarreau" <[email protected]> wrote: >> >>> Hi Dave, >>> >>> On Tue, Dec 01, 2015 at 03:04:21PM +0000, Dave Zhu (yanbzhu) wrote: >>>> I apologize for not responding sooner, I was waiting for more comments >>>> before >>>> starting implementation, then this fell off my radar when other >>>> responsibilities picked up. >>> >>> No problem, we're all in the same situation, don't worry! >>> >>>> I???ve got some downtime and can start working on Willy???s proposal, >>>> if that >>>> will meet the requirements of the people here. >>> >>> That would be awesome! That said, don't put yourself under pressure, >>> yes it's something that people would love to have but don't stop all >>> your activities for this. I tend to think that there are people >>> volunteering for testing here given the demand, so do not hesitate >>> to post preview patches as you did initially. >>> >>> Cheers, >>> willy >>> >> >> > >Hi Dave, > >Thank you, now the feature is clearly less intrusive. > >But i notice some inconsistencies. > >Patch2 (crt conf keywoard): >If the file without key extension is present, this file is loaded but >also the multi_load is called. > >However in Patch3 (crt-list) >If the file without key extension is present, this file is loaded but the >multi_load is NOT called. > >There is a lot indentation issues in patch 2 > >In patch 2 it remains a FIXME comment: >// YANBZHU: FIXME > >R, >Emeric
