Hello, I allow myself to relaunch this email, can someone tell us if it's a bug or a configuration problem please? I would like to use ECDSA certificates in addition to RSA but this problem is blocking me.
Regards, Arnaud. ----- Mail original ----- > De: "Arnaud Gavara" <arnaud.gav...@umontpellier.fr> > À: "haproxy" <haproxy@formilux.org> > Envoyé: Mercredi 2 Mai 2018 17:25:26 > Objet: Re: HAProxy multiple key type support - bug/feature (?) with DH > parameters > Hello, > > I resume this mail from Olivier because I think I meet the same problem. > Like him, I need to use specific DH parameters. For this, I simply use the > ability to add these DH parameters in the certificate file. > These DH parameters are well taken into account if I specify the exact path of > the certificate, for example: > bind: 443 ssl crt certificate.pem.rsa > > Then, I try to use the functionality described in the manual > (https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt) which > allows to create a certificate bundle if we don't specify the explicit suffix > in the configuration: > bind: 443 ssl crt certificate.pem > In this case, the certificate is well used (certificate.pem.rsa, same file) > but > not its part containing the specific DH parameters. Indeed, if I do an SSL > connection test (with testssl.sh for example), I observe that HAProxy uses its > default DH parameters instead of using those of the file. > > Of course, the goal is to be able to offer ECDSA certificates, but before > going > to this step, I would have to use specific DH parameters. > > Regards, > Arnaud. > > ----- Mail original ----- >> De: "Olivier Doucet" <webmas...@ajeux.com> >> À: "HAProxy" <haproxy@formilux.org> >> Envoyé: Vendredi 23 Mars 2018 15:58:27 >> Objet: HAProxy multiple key type support - bug/feature (?) with DH parameters > >> Hello, >> a few months ago I started using multiple key type support in HAProxy. It >> means I have this in haproxy.cfg : >> bind :443 ssl crt example.pem >> >> And these files: >> example.pem.rsa >> example.pem.rsa.ocsp >> example.pem.rsa.issuer >> example.pem.ecdsa >> example.pem.ecdsa.ocsp >> example.pem.ecdsa.issuer >> (see https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt) >> >> It is working very well :) >> >> I now need to handle specific DH parameters for a customer. Before, I used >> to add a DH block in pem file and it was working ... But here, the block is >> simply ignored, despite what is said in config : >> https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.2-tune.ssl.default-dh-param >> "This value is not used if static Diffie-Hellman parameters are supplied >> either directly in the certificate file or by using the ssl-dh-param-file >> parameter" >> >> I can confirm this behaviour happens only when certificate are loaded with >> .rsa / .ecdsa extension : it is working if I rename example.pem.rsa to >> example.pem >> >> I tried to create a file example.pem.rsa.dh or example.pem.rsa.dhparam with >> no luck (just tried those file names randomly :p). >> >> Olivier > > -- > Université de Montpellier > Direction du Système d'Information et du Numérique > Service des Moyens Informatiques > Bureau réseaux, sécurité et téléphonie IP -- Université de Montpellier Direction du Système d'Information et du Numérique Service des Moyens Informatiques Bureau réseaux, sécurité et téléphonie IP
