It's better with patches…
Hi,
Following the first patch series (included). The goal is to deduplicate common certificates in memory and in shared pem files.
PATCH 7/8 is only for boringssl (directive to dedup certificate in memory for ctx) Last patch should be the more interesting: [PATCH 8/8] MINOR: ssl: add "issuer-path" directive.
Certificates loaded with "crt" and "crt-list" commonly share the same intermediate certificate in PEM file. "issuer-path" is a global directive to share intermediate certificate in a directory. If certificate chain is not included in certificate PEM file, haproxy will complete chain if issuer match the first certificate of the chain stored via "issuer-path" directive. Such chains will be shared in ssl shared memory. . "issuer-path" directive can be set several times. . only sha1 key identifier is supported (rfc5280 4.2.1.2. (1))
If you want to test it, the patch series can be apply to haproxy-dev or haproxy-1.9.
Feedbacks are welcome :)
++ Manu
|
0001-REORG-ssl-promote-cert_key_and_chain-handling.patch
Description: Binary data
0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch
Description: Binary data
0003-MINOR-ssl-SSL_CTX_set1_chain-compatibility.patch
Description: Binary data
0004-MINOR-ssl-used-cert_key_and_chain-func-in-load_cert_.patch
Description: Binary data
0005-BUG-MINOR-ssl-fix-ssl_sock_load_multi_cert-init-vars.patch
Description: Binary data
0006-CLEANUP-ssl-ssl_sock_load_crt_file_into_ckch.patch
Description: Binary data
0007-MINOR-ssl-dedup-cert-chain-for-bind-ctx-boringssl.patch
Description: Binary data
0008-MINOR-ssl-add-issuer-path-directive.patch
Description: Binary data