Hi,

Following the first patch series (included).
The goal is to deduplicate common certificates in memory and in shared pem 
files.

PATCH 7/8 is only for boringssl (directive to dedup certificate in memory for 
ctx)
Last patch should be the more interesting:
[PATCH 8/8] MINOR: ssl: add "issuer-path" directive.

Certificates loaded with "crt" and "crt-list" commonly share the same
intermediate certificate in PEM file. "issuer-path" is a global
directive to share intermediate certificate in a directory. If
certificate chain is not included in certificate PEM file, haproxy
will complete chain if issuer match the first certificate of the chain
stored via "issuer-path" directive. Such chains will be shared in ssl
shared memory.
. "issuer-path" directive can be set several times.
. only sha1 key identifier is supported (rfc5280 4.2.1.2. (1))

If you want to test it, the patch series can be apply to haproxy-dev or 
haproxy-1.9.

Feedbacks are welcome :)

++
Manu

> Le 12 déc. 2018 à 12:23, Emmanuel Hocdet <[email protected]> a écrit :
> 
> 
> Hi,
> 
> I tried to improve the haproxy loading time with a lot of certificates, and 
> see a double file
> open for each certificate (one for private-key and one for the cert/chain).
> Multi-cert loading part have not this issue and is good candidate for sharing 
> code:
> patches is this work with factoring/cleanup/fix.
> 
> About speed: PEM file with private key in first position is far better.
> 
> If you can consider this patches?
> 

Reply via email to