Hi Manu, On 1/7/19 5:59 PM, Emmanuel Hocdet wrote: > It's better with patches… > >> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <[email protected] >> <mailto:[email protected]>> a écrit : >> >> Hi, >> >> Following the first patch series (included). >> The goal is to deduplicate common certificates in memory and in shared pem >> files. >> >> PATCH 7/8 is only for boringssl (directive to dedup certificate in memory >> for ctx) >> Last patch should be the more interesting: >> [PATCH 8/8] MINOR: ssl: add "issuer-path" directive. >> >> Certificates loaded with "crt" and "crt-list" commonly share the same >> intermediate certificate in PEM file. "issuer-path" is a global >> directive to share intermediate certificate in a directory. If >> certificate chain is not included in certificate PEM file, haproxy >> will complete chain if issuer match the first certificate of the chain >> stored via "issuer-path" directive. Such chains will be shared in ssl >> shared memory. >> . "issuer-path" directive can be set several times. >> . only sha1 key identifier is supported (rfc5280 4.2.1.2. (1)) >> >> If you want to test it, the patch series can be apply to haproxy-dev or >> haproxy-1.9. >> >> Feedbacks are welcome :) >> >> ++ >> Manu >> > >
We have to double check this patches proposal because we have a pending feature in roadmap which could heavily collide: to load only one time a certificate per fs entry. For us it is a mandatory feature to allow a clean "hot" update of certificates. (the key to identify a certificate to update will be the path on the fs, or at least, the base path) Emeric

