On Tue, Dec 8, 2015 at 11:18 AM, Dave Zhu (yanbzhu) <[email protected]> wrote:
> Hey Bryan, > > I believe I have gotten to the bottom of the behavior that you are seeing: > > > 1. 0.9.8 client cannot connect to dual cert port: This was a bug on my > part. I neglected to set a DHE keys for the SSL_CTX with multiple certs. > I’ve attached another set of patches (1-5 are identical, 6 is new) that > fixes this. > > yep, patch 6 fixes this problem for me. > > 1. ECC capable client does not use ECC cipher: I believe this is due > to your test configuration. Openssl prefers RSA ciphers by default, and so > if you don’t specify an ECC cipher first, it will always pick an RSA > cipher. Your test uses "./openssl-1.0.2e/apps/openssl s_client -connect > 127.0.0.1:8443” as the command, which will use the default cipher > list. Try specifying an ECC cipher as the first cipher and it should work. > > Of course, I should have realized that too. I've updated the bind ciphers to prioritize ECDSA over RSA and that fixes the issue. So the basic tests I defined before are all passing now but only when the crt line specifies a "pem" file that doesn't exist and .ecdsa / .rsa files are loaded from that base. Now, about using the crt bind option with a directory of certs https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#crt (Bind options) How should that work, especially if there are .ocsp and .issuer data in the crt directory? Currently, the ECDSA certificate seems to always be used even for non-ECC capable clients but I suspect that's due to the .ecdsa cert being loaded first and your patches do not cover that use case yet. -Bryan
