Hi, Following the first patch series (included). The goal is to deduplicate common certificates in memory and in shared pem files.
PATCH 7/8 is only for boringssl (directive to dedup certificate in memory for ctx) Last patch should be the more interesting: [PATCH 8/8] MINOR: ssl: add "issuer-path" directive. Certificates loaded with "crt" and "crt-list" commonly share the same intermediate certificate in PEM file. "issuer-path" is a global directive to share intermediate certificate in a directory. If certificate chain is not included in certificate PEM file, haproxy will complete chain if issuer match the first certificate of the chain stored via "issuer-path" directive. Such chains will be shared in ssl shared memory. . "issuer-path" directive can be set several times. . only sha1 key identifier is supported (rfc5280 4.2.1.2. (1)) If you want to test it, the patch series can be apply to haproxy-dev or haproxy-1.9. Feedbacks are welcome :) ++ Manu > Le 12 déc. 2018 à 12:23, Emmanuel Hocdet <[email protected]> a écrit : > > > Hi, > > I tried to improve the haproxy loading time with a lot of certificates, and > see a double file > open for each certificate (one for private-key and one for the cert/chain). > Multi-cert loading part have not this issue and is good candidate for sharing > code: > patches is this work with factoring/cleanup/fix. > > About speed: PEM file with private key in first position is far better. > > If you can consider this patches? >

