Hello James,
Am 23.02.2017 um 01:11 schrieb James Brown:
Right now, the "best" way I'm aware of to serve both an RSA and an ECDSA
certificate on the same IP to different clients is to use
req.ssl_ec_ext
<http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.5-req.ssl_ec_ext>
to determine if a set of supported elliptic curves was passed in the
ClientHello.
No, you don't have to do this anymore.
Forget the TCP frontend with req.ssl_ec_ext, you can configure multiple
cert types
directly as per [1].
Its a simple as naming the actual files "example.pem.rsa" and
"example.pem.ecdsa" and
point to it by its base name "ssl crt example.pem".
Regards,
Lukas
[1] http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt
