Thank you Willy and Emeric for their efforts in the design, and thanks to everyone else for all your support and help in testing/debugging this feature!
I¹ve attached the DOC patch to this message. Please take a look and let me know if you see any errors in formatting that needs fixed. -Dave On 12/14/15, 5:27 AM, "Willy Tarreau" <[email protected]> wrote: >Hi guys, > >On Thu, Dec 10, 2015 at 09:29:57PM +0100, Janusz Dziemidowicz wrote: >> 2015-12-10 21:14 GMT+01:00 Dave Zhu (yanbzhu) <[email protected]>: >> > Finished OCSP portion. It???s in patch 5 >> > >> > OCSP staple files will have to be in the same format: >>haproxy.pem.rsa.ocsp >> > and haproxy.pem.ecdsa.ocsp. They will get picked up when you load >> > haproxy.pem in any of the supported methods. >> > >> > This patch is slightly bigger, as there was some refactoring that had >>to >> > be done to support multi-cert SSL_CTX???s. >> > >> > The only remaining piece would be SCTL support, and I have no >>experience >> > with that. Someone else will have to step in to add that >>functionality. >> >> I haven't been following this thread closely, but SCTL should be very >> similar to OCSP. SCTL stands for signed certificate timestamp list and >> is just a simple list of signatures from Certificate Transparency >> logs. This is just a binary blob tied to a given certificate. If the >> client includes CT extension, then the server should locate apropriate >> SCTL (haproxy.pem.rsa.sctl or haproxy.pem.ecdsa.sctl) and include it >> in its initial reply. That's all. >> >> I'll try to take a look at the patch set in the following weekend if I >> find some time. > >I wanted to let you know that I've just merged Dave's work now. Janusz, >just rebase on latest master, that'll make your work easier. Dave, please >don't forget to update the documentation :-) > >Thanks to all reviewers and testers, that was pretty efficient! > >Willy >
0006-DOC-ssl-Adding-docs-for-Multi-Cert-bundling.patch
Description: 0006-DOC-ssl-Adding-docs-for-Multi-Cert-bundling.patch
