On Tue, Dec 08, 2015 at 10:32:02PM +0000, Dave Zhu (yanbzhu) wrote: > Hey Willy, > > On 12/8/15, 5:27 PM, "Willy Tarreau" <[email protected]> wrote: > > > >In my opinion, these suffixes should be used only after the real cert > >file name. So when you load "foobar.ecdsa", you should only consider > >"foobar.ecdsa.ocsp" and so on. And from what I remember, on the CLI > >we mention the cert name when feeding an OCSP entry so that should > >continue to work perfectly. > > I agree, the limitation here is that the way HAProxy is current designed > only allows for 1 OCSP staple per SSL_CTX. This will have to change to > multiple staples for SSL_CTX¹s with multiple certs.
Ah, I thought each cert had its own SSL_CTX. But don't worry for my understanding of this complex API... my understanding dances like the light of a candle in the wind. Others (like you) seem to have powerful spots instead :-) > >I do think so. We'll just have to remerge 4, 5 and 6 into their respective > >patches (2 apparently) and we're good to go. If Emeric doesn't raise any > >objection (apparently you addressed his concerns) I can merge all that > >myself. > >If you prefer to remerge the patches above yourself, no problem for me. > > I can remerge everything into 3 patches, it will be cleaner that way. I¹ll > send them out tomorrow. Perfect, thanks! Willy
