It's better with patches…

Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <[email protected]> a écrit :

Hi,

Following the first patch series (included).
The goal is to deduplicate common certificates in memory and in shared pem files.

PATCH 7/8 is only for boringssl (directive to dedup certificate in memory for ctx)
Last patch should be the more interesting:
[PATCH 8/8] MINOR: ssl: add "issuer-path" directive.

Certificates loaded with "crt" and "crt-list" commonly share the same
intermediate certificate in PEM file. "issuer-path" is a global
directive to share intermediate certificate in a directory. If
certificate chain is not included in certificate PEM file, haproxy
will complete chain if issuer match the first certificate of the chain
stored via "issuer-path" directive. Such chains will be shared in ssl
shared memory.
. "issuer-path" directive can be set several times.
. only sha1 key identifier is supported (rfc5280 4.2.1.2. (1))

If you want to test it, the patch series can be apply to haproxy-dev or haproxy-1.9.

Feedbacks are welcome :)

++
Manu


Attachment: 0001-REORG-ssl-promote-cert_key_and_chain-handling.patch
Description: Binary data

Attachment: 0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch
Description: Binary data

Attachment: 0003-MINOR-ssl-SSL_CTX_set1_chain-compatibility.patch
Description: Binary data

Attachment: 0004-MINOR-ssl-used-cert_key_and_chain-func-in-load_cert_.patch
Description: Binary data

Attachment: 0005-BUG-MINOR-ssl-fix-ssl_sock_load_multi_cert-init-vars.patch
Description: Binary data

Attachment: 0006-CLEANUP-ssl-ssl_sock_load_crt_file_into_ckch.patch
Description: Binary data

Attachment: 0007-MINOR-ssl-dedup-cert-chain-for-bind-ctx-boringssl.patch
Description: Binary data

Attachment: 0008-MINOR-ssl-add-issuer-path-directive.patch
Description: Binary data



Reply via email to