Hi,
I applied your patchs and then launch haproxy with this minimal conf :
--------
global
tune.ssl.default-dh-param 4096
defaults
timeout check 10s
timeout client 180s
timeout connect 2s
timeout http-keep-alive 15s
timeout http-request 10s
timeout queue 60s
timeout server 180s
timeout tarpit 10s
timeout tunnel 600s
listen tmp
bind 127.0.0.1:8443 ssl crt tmp/ssl strict-sni
redirect location https://www.google.fr
--------
and test all mode :
$ openssl s_client -connect 127.0.0.1:8443 -CApath /etc/ssl/certs
-servername dsa.toto.fr 2>/dev/null | openssl x509 -noout -text | grep
"Public Key Algorithm:"
Public Key Algorithm: dsaEncryption
$ openssl s_client -connect 127.0.0.1:8443 -CApath /etc/ssl/certs
-servername ec.toto.fr 2>/dev/null | openssl x509 -noout -text | grep
"Public Key Algorithm:"
Public Key Algorithm: id-ecPublicKey
$ openssl s_client -connect 127.0.0.1:8443 -CApath /etc/ssl/certs
-servername rsa.toto.fr 2>/dev/null | openssl x509 -noout -text | grep
"Public Key Algorithm:"
Public Key Algorithm: rsaEncryption
is that enough for you ?
Regards,
2016-10-23 14:49 GMT+02:00 Thierry Fournier <[email protected]>:
> Hi list,
>
> I'm currently workibng on dynamic load of certificates, and I see somme
> minor bug. There are a few Patches.
>
> The first of them add some useful traces for debuging SSL
> (typically explain the reason of an handshake failure).
>
> The second and the third are 2 minor bug with return code not
> controlled.
>
> The fourth is the main patch. It remove some entries tore twice in the
> SNI tree. This bug is really minor.
>
> I valid my patches with a classic single certificate, and with dual
> certificate (DSA/RSA). I can't test dual or three certificates with
> ECDSA.
>
> My patches can be applied on the current master branch, and there
> are easy to apply on the 1.6 branch.
>
> Anyone can test the mode DSA + RSA + ECDSA ?
>
> Thanks
> Thierry
