Finished OCSP portion. It’s in patch 5 OCSP staple files will have to be in the same format: haproxy.pem.rsa.ocsp and haproxy.pem.ecdsa.ocsp. They will get picked up when you load haproxy.pem in any of the supported methods.
This patch is slightly bigger, as there was some refactoring that had to be done to support multi-cert SSL_CTX’s. The only remaining piece would be SCTL support, and I have no experience with that. Someone else will have to step in to add that functionality. -Dave On 12/8/15, 5:40 PM, "Willy Tarreau" <[email protected]> wrote: >On Tue, Dec 08, 2015 at 10:32:02PM +0000, Dave Zhu (yanbzhu) wrote: >> Hey Willy, >> >> On 12/8/15, 5:27 PM, "Willy Tarreau" <[email protected]> wrote: >> > >> >In my opinion, these suffixes should be used only after the real cert >> >file name. So when you load "foobar.ecdsa", you should only consider >> >"foobar.ecdsa.ocsp" and so on. And from what I remember, on the CLI >> >we mention the cert name when feeding an OCSP entry so that should >> >continue to work perfectly. >> >> I agree, the limitation here is that the way HAProxy is current designed >> only allows for 1 OCSP staple per SSL_CTX. This will have to change to >> multiple staples for SSL_CTX¹s with multiple certs. > >Ah, I thought each cert had its own SSL_CTX. But don't worry for my >understanding of this complex API... my understanding dances like the >light of a candle in the wind. Others (like you) seem to have powerful >spots instead :-) > >> >I do think so. We'll just have to remerge 4, 5 and 6 into their >>respective >> >patches (2 apparently) and we're good to go. If Emeric doesn't raise >>any >> >objection (apparently you addressed his concerns) I can merge all that >> >myself. >> >If you prefer to remerge the patches above yourself, no problem for me. >> >> I can remerge everything into 3 patches, it will be cleaner that way. >>I¹ll >> send them out tomorrow. > >Perfect, thanks! >Willy >
0001-MINOR-ssl-Added-cert_key_and_chain-struct.patch
Description: 0001-MINOR-ssl-Added-cert_key_and_chain-struct.patch
0002-MEDIUM-ssl-Added-support-for-creating-SSL_CTX-with-m.patch
Description: 0002-MEDIUM-ssl-Added-support-for-creating-SSL_CTX-with-m.patch
0003-MINOR-ssl-Added-multi-cert-support-for-crt-list-conf.patch
Description: 0003-MINOR-ssl-Added-multi-cert-support-for-crt-list-conf.patch
0004-MINOR-ssl-Added-multi-cert-support-for-loading-crt-d.patch
Description: 0004-MINOR-ssl-Added-multi-cert-support-for-loading-crt-d.patch
0005-MINOR-ssl-Added-support-for-Multi-Cert-OCSP-Stapling.patch
Description: 0005-MINOR-ssl-Added-support-for-Multi-Cert-OCSP-Stapling.patch
