Hello,

I allow myself to relaunch this email, can someone tell us if it's a bug or a 
configuration problem please?
I would like to use ECDSA certificates in addition to RSA but this problem is 
blocking me.

Regards,
Arnaud.


----- Mail original -----
> De: "Arnaud Gavara" <arnaud.gav...@umontpellier.fr>
> À: "haproxy" <haproxy@formilux.org>
> Envoyé: Mercredi 2 Mai 2018 17:25:26
> Objet: Re: HAProxy multiple key type support - bug/feature (?) with DH 
> parameters

> Hello,
> 
> I resume this mail from Olivier because I think I meet the same problem.
> Like him, I need to use specific DH parameters. For this, I simply use the
> ability to add these DH parameters in the certificate file.
> These DH parameters are well taken into account if I specify the exact path of
> the certificate, for example:
> bind: 443 ssl crt certificate.pem.rsa
> 
> Then, I try to use the functionality described in the manual
> (https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt) which
> allows to create a certificate bundle if we don't specify the explicit suffix
> in the configuration:
> bind: 443 ssl crt certificate.pem
> In this case, the certificate is well used (certificate.pem.rsa, same file) 
> but
> not its part containing the specific DH parameters. Indeed, if I do an SSL
> connection test (with testssl.sh for example), I observe that HAProxy uses its
> default DH parameters instead of using those of the file.
> 
> Of course, the goal is to be able to offer ECDSA certificates, but before 
> going
> to this step, I would have to use specific DH parameters.
> 
> Regards,
> Arnaud.
> 
> ----- Mail original -----
>> De: "Olivier Doucet" <webmas...@ajeux.com>
>> À: "HAProxy" <haproxy@formilux.org>
>> Envoyé: Vendredi 23 Mars 2018 15:58:27
>> Objet: HAProxy multiple key type support - bug/feature (?) with DH parameters
> 
>> Hello,
>> a few months ago I started using multiple key type support in HAProxy. It
>> means I have this in haproxy.cfg :
>> bind :443 ssl crt example.pem
>> 
>> And these files:
>> example.pem.rsa
>> example.pem.rsa.ocsp
>> example.pem.rsa.issuer
>> example.pem.ecdsa
>> example.pem.ecdsa.ocsp
>> example.pem.ecdsa.issuer
>> (see https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt)
>> 
>> It is working very well :)
>> 
>> I now need to handle specific DH parameters for a customer. Before, I used
>> to add a DH block in pem file and it was working ... But here, the block is
>> simply ignored, despite what is said in config :
>> https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.2-tune.ssl.default-dh-param
>> "This value is not used if static Diffie-Hellman parameters are supplied
>> either directly in the certificate file or by using the ssl-dh-param-file
>> parameter"
>> 
>> I can confirm this behaviour happens only when certificate are loaded with
>> .rsa / .ecdsa extension : it is working if I rename example.pem.rsa to
>> example.pem
>> 
>> I tried to create a file example.pem.rsa.dh or example.pem.rsa.dhparam with
>> no luck (just tried those file names randomly :p).
>> 
>> Olivier
> 
> --
> Université de Montpellier
> Direction du Système d'Information et du Numérique
> Service des Moyens Informatiques
> Bureau réseaux, sécurité et téléphonie IP

-- 
Université de Montpellier
Direction du Système d'Information et du Numérique
Service des Moyens Informatiques
Bureau réseaux, sécurité et téléphonie IP

Reply via email to