Hello, since TLS 1.3 PSK is incompatible with TLS 1.2, is there an update patch for recent haproxy to work with TLS 1.3?
On Mon, Jan 9, 2017 at 8:07 AM, Nenad Merdanovic <[email protected]> wrote: > Hello, > > On 1/5/2017 4:47 PM, Emeric Brun wrote: >> On 01/05/2017 04:22 AM, Nenad Merdanovic wrote: >>> I have a working patch for this, but it's very ugly currently (minimal >>> error checking, no warnings/messages, no docs, very basic tests done >>> only, etc.) >>> >>> I expect to have a version for review by EOW (depending on the workload, >>> maybe a bit sooner). >>> >>> Regards, >>> Nenad >> >> Great news Nenad! > > I haven't really had as much time as I wanted for this, but I am > attaching a patch that I think is good enough for review as I don't > expect design decisions to change. > > There are some minor things I want to improve (rename things like > 'psk_key'), add some ifdefs for OPENSSL_NO_PSK and write the > documentation of course. Depending on the client/server side: > - On the bind line, there is a psk-file keyword that loads a series of > PSKs and any can be used > - On the server line, there is a psk keyword, that takes the same format > as the file (<identity>:<key>) and is used for the backend connection. > > I'll send a full Git patch if this looks OK within the next few days. > > Regards, > Nenad
