Hey Bryan, Now, about using the crt bind option with a directory of certs https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#crt (Bind options)
How should that work, especially if there are .ocsp and .issuer data in the crt directory? Currently, the ECDSA certificate seems to always be used even for non-ECC capable clients but I suspect that's due to the .ecdsa cert being loaded first and your patches do not cover that use case yet. In this case, it would work the same as it does today. So the .rsa cert and the .ecdsa cert would get loaded as separate certificates, and the ECDSA would get added to the SNI tree first due to alphabetical loading as you postulated. There are also 2 issues here. 1. Loading certs from a directory doesn't process multiple certs at the same time. This I can fix with another patch to add that functionality 2. .issuer, .ocsp and .sctl only apply to a single cert, not multiple certs. This is tricker, since we'd have to load multiple OCSP responses for stapling in the case of multiple certs, which would mean that we would have to set the OCSP response based on which certificate is presented. I could look into this as well, since it shouldn't be impossible to do given current HAProxy infrastructure. However, I would prefer that the functionality as it is today makes it into the code base. Similar with SCTL, although I have zero experience in that matter and would need guidance. I'll look into #1 and the ocsp portion of #2. I'll let you know when I have updates. In the mean time, is the code and functionality as of today acceptable? Could the feature be merged as is, with features added in the future? -Dave From: Bryan Talbot <[email protected]<mailto:[email protected]>> Date: Tuesday, December 8, 2015 at 4:02 PM To: Yanbo Zhu <[email protected]<mailto:[email protected]>> Cc: Bryan Talbot <[email protected]<mailto:[email protected]>>, Willy Tarreau <[email protected]<mailto:[email protected]>>, Olivier Doucet <[email protected]<mailto:[email protected]>>, Emeric Brun <[email protected]<mailto:[email protected]>>, Lukas Tribus <[email protected]<mailto:[email protected]>>, Remi Gacogne <[email protected]<mailto:[email protected]>>, Nenad Merdanovic <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching On Tue, Dec 8, 2015 at 11:18 AM, Dave Zhu (yanbzhu) <[email protected]<mailto:[email protected]>> wrote: Hey Bryan, I believe I have gotten to the bottom of the behavior that you are seeing: 1. 0.9.8 client cannot connect to dual cert port: This was a bug on my part. I neglected to set a DHE keys for the SSL_CTX with multiple certs. I've attached another set of patches (1-5 are identical, 6 is new) that fixes this. yep, patch 6 fixes this problem for me. 1. ECC capable client does not use ECC cipher: I believe this is due to your test configuration. Openssl prefers RSA ciphers by default, and so if you don't specify an ECC cipher first, it will always pick an RSA cipher. Your test uses "./openssl-1.0.2e/apps/openssl s_client -connect 127.0.0.1:8443" as the command, which will use the default cipher list. Try specifying an ECC cipher as the first cipher and it should work. Of course, I should have realized that too. I've updated the bind ciphers to prioritize ECDSA over RSA and that fixes the issue. So the basic tests I defined before are all passing now but only when the crt line specifies a "pem" file that doesn't exist and .ecdsa / .rsa files are loaded from that base. Now, about using the crt bind option with a directory of certs https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#crt (Bind options) How should that work, especially if there are .ocsp and .issuer data in the crt directory? Currently, the ECDSA certificate seems to always be used even for non-ECC capable clients but I suspect that's due to the .ecdsa cert being loaded first and your patches do not cover that use case yet. -Bryan
