Hi, thank you for the tests. It is exactly the last test. The patches seems to be good.
The patches can be merged, if it is possible. @Emeric, all the tests that you asked are done and positive. Thanks, Thierry On Mon, 24 Oct 2016 16:08:57 +0200 Beluc <[email protected]> wrote: > Hi, > > I applied your patchs and then launch haproxy with this minimal conf : > > -------- > > global > tune.ssl.default-dh-param 4096 > > defaults > timeout check 10s > timeout client 180s > timeout connect 2s > timeout http-keep-alive 15s > timeout http-request 10s > timeout queue 60s > timeout server 180s > timeout tarpit 10s > timeout tunnel 600s > > listen tmp > bind 127.0.0.1:8443 ssl crt tmp/ssl strict-sni > redirect location https://www.google.fr > > -------- > > and test all mode : > > $ openssl s_client -connect 127.0.0.1:8443 -CApath /etc/ssl/certs > -servername dsa.toto.fr 2>/dev/null | openssl x509 -noout -text | grep > "Public Key Algorithm:" > Public Key Algorithm: dsaEncryption > $ openssl s_client -connect 127.0.0.1:8443 -CApath /etc/ssl/certs > -servername ec.toto.fr 2>/dev/null | openssl x509 -noout -text | grep > "Public Key Algorithm:" > Public Key Algorithm: id-ecPublicKey > $ openssl s_client -connect 127.0.0.1:8443 -CApath /etc/ssl/certs > -servername rsa.toto.fr 2>/dev/null | openssl x509 -noout -text | grep > "Public Key Algorithm:" > Public Key Algorithm: rsaEncryption > > is that enough for you ? > > Regards, > > 2016-10-23 14:49 GMT+02:00 Thierry Fournier <[email protected]>: > > Hi list, > > > > I'm currently workibng on dynamic load of certificates, and I see somme > > minor bug. There are a few Patches. > > > > The first of them add some useful traces for debuging SSL > > (typically explain the reason of an handshake failure). > > > > The second and the third are 2 minor bug with return code not > > controlled. > > > > The fourth is the main patch. It remove some entries tore twice in the > > SNI tree. This bug is really minor. > > > > I valid my patches with a classic single certificate, and with dual > > certificate (DSA/RSA). I can't test dual or three certificates with > > ECDSA. > > > > My patches can be applied on the current master branch, and there > > are easy to apply on the 1.6 branch. > > > > Anyone can test the mode DSA + RSA + ECDSA ? > > > > Thanks > > Thierry
