It’s only 1.0.1 that’s affected, so I’m inferring that predates support for serving multiple certificate types; it’s not an haproxy regression.
I’ve failed in all attempts to try tls 1.3 though. Haproxy segfaults very soon after startup. I tried several OpenSSL versions. Sent from my iPhone > On 4 Nov 2017, at 09:17, Robert Newson <b...@rsn.io> wrote: > > It seems to only be some versions of OpenSSL. I’ll go over this again more > carefully and keep notes. I was trying out tls 1.3 support as well, so it > might be specific to OpenSSL 1.1.1-dev. > > Sent from my iPhone > >> On 3 Nov 2017, at 22:33, Willy Tarreau <w...@1wt.eu> wrote: >> >> Hi Robert, >> >>> On Thu, Nov 02, 2017 at 03:58:47PM +0000, Robert Samuel Newson wrote: >>> Hi, >>> >>> I think the "cert bundle" feature from 1.7 is broken in 1.8-rc1. My exact >>> config works with 1.7 but says this for 1.8-rc1; >>> >>> unable to stat SSL certificate from file '/path/to/foo.pem': No such file >>> or directory. >>> >>> That is, it's attempting to load foo.pem, not foo.pem.rsa or foo.pem.ecdsa >>> like 1.7 does. >> >> Oh bad, that's totally unexpected. I'm CCing Emeric and Manu, the former >> being the SSL maintainer (in case he has a quick idea about it) and the >> latter having upgraded a large part of the cert management code, possibly >> having an idea about anything that could have gone wrong. >> >>> I also tried asking the mailing list daemon for help by emailing >>> haproxy+h...@formilux.org as the signup confirmation specifies, the full >>> body >>> of that help is just "Hello,". I was hoping to ask the daemon to send me the >>> initial message in this thread so I could reply into the thread properly. >>> Sadly the mailing list archive doesn't show any of the headers I might have >>> injected to get threading working that way, so sorry for breaking the thread >>> but I really tried not to. >> >> I was not even aware of the feature :-) >> >>> I am very excited about many of the new features in 1.8 and am itching to >>> try >>> them. >> >> As long as you're very careful that's useful. I'm going to issue an rc2 with >> the most painful bugs fixed. >> >> Thanks for the report, >> Willy
