Hi Dave, On Tue, Dec 08, 2015 at 09:12:58PM +0000, Dave Zhu (yanbzhu) wrote: > There are also 2 issues here. > > > 1. Loading certs from a directory doesn't process multiple certs at the > same time. This I can fix with another patch to add that functionality
I didn't think about this one indeed. > 2. .issuer, .ocsp and .sctl only apply to a single cert, not multiple > certs. This is tricker, since we'd have to load multiple OCSP responses for > stapling in the case of multiple certs, which would mean that we would have > to set the OCSP response based on which certificate is presented. I could > look into this as well, since it shouldn't be impossible to do given > current HAProxy infrastructure. However, I would prefer that the > functionality as it is today makes it into the code base. Similar with > SCTL, although I have zero experience in that matter and would need > guidance. In my opinion, these suffixes should be used only after the real cert file name. So when you load "foobar.ecdsa", you should only consider "foobar.ecdsa.ocsp" and so on. And from what I remember, on the CLI we mention the cert name when feeding an OCSP entry so that should continue to work perfectly. > I'll look into #1 and the ocsp portion of #2. I'll let you know when I have > updates. > > In the mean time, is the code and functionality as of today acceptable? Could > the feature be merged as is, with features added in the future? I do think so. We'll just have to remerge 4, 5 and 6 into their respective patches (2 apparently) and we're good to go. If Emeric doesn't raise any objection (apparently you addressed his concerns) I can merge all that myself. If you prefer to remerge the patches above yourself, no problem for me. Thanks ! Willy
