Hi Emeric,
> Le 7 janv. 2019 à 18:11, Emeric Brun <[email protected]> a écrit : > > Hi Manu, > > On 1/7/19 5:59 PM, Emmanuel Hocdet wrote: >> It's better with patches… >> >>> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <[email protected] >>> <mailto:[email protected]>> a écrit : >>> >>> Hi, >>> >>> Following the first patch series (included). >>> The goal is to deduplicate common certificates in memory and in shared pem >>> files. >>> >>> PATCH 7/8 is only for boringssl (directive to dedup certificate in memory >>> for ctx) >>> Last patch should be the more interesting: >>> [PATCH 8/8] MINOR: ssl: add "issuer-path" directive. >>> >>> Certificates loaded with "crt" and "crt-list" commonly share the same >>> intermediate certificate in PEM file. "issuer-path" is a global >>> directive to share intermediate certificate in a directory. If >>> certificate chain is not included in certificate PEM file, haproxy >>> will complete chain if issuer match the first certificate of the chain >>> stored via "issuer-path" directive. Such chains will be shared in ssl >>> shared memory. >>> . "issuer-path" directive can be set several times. >>> . only sha1 key identifier is supported (rfc5280 4.2.1.2. (1)) >>> >>> If you want to test it, the patch series can be apply to haproxy-dev or >>> haproxy-1.9. >>> >>> Feedbacks are welcome :) >>> >>> ++ >>> Manu >>> >> >> > > We have to double check this patches proposal because we have a pending > feature in roadmap which could heavily collide: to load only one time a > certificate per fs entry. > > For us it is a mandatory feature to allow a clean "hot" update of > certificates. (the key to identify a certificate to update will be the path > on the fs, or at least, the base path) > > Emeric Interesting, i have some questions about this feature, i will wait. With fs entry only it can conflict with crt-list. I think it should not heavily collide. Some conflicts with code refactoring for sure, issuer sharing feature should be complementary. ++ Manu

