Hey Bryan, it's strange that it's always loading the ECC cert. I just tested the code on my end and I'm not seeing this behavior.
Back to your original problem though, do the certs share a CN or SAN? That's the only way that they would get loaded together into a shared context. -Dave From: Bryan Talbot <[email protected]<mailto:[email protected]>> Date: Thursday, December 3, 2015 at 5:24 PM To: Bryan Talbot <[email protected]<mailto:[email protected]>> Cc: Yanbo Zhu <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching Another odd thing is that both certs are loaded even if the ECC cert doesn't have the proper name. In my testing with a bind line of bind :8443 ssl crt ./var/tls/localhost.pem the ECC cert is loaded if it is in that directory no matter what the file name is. -Bryan On Thu, Dec 3, 2015 at 2:15 PM, Bryan Talbot <[email protected]<mailto:[email protected]>> wrote: On Thu, Dec 3, 2015 at 2:00 PM, Dave Zhu (yanbzhu) <[email protected]<mailto:[email protected]>> wrote: Hey Bryan. I noticed that you gave HAProxy a directory. You have to give it the name of the cert instead of the directory. So your config should be: bind :8443 ssl crt ./var/tls/localhost.pem I get the same behavior with that configuration. Hopefully loading certs from a directory instead of naming them all will be enabled in a future patch since I think a lot of existing configs load them that way. -Bryan
