Hi Emeric,

> Le 7 janv. 2019 à 18:11, Emeric Brun <eb...@haproxy.com> a écrit :
> Hi Manu,
> On 1/7/19 5:59 PM, Emmanuel Hocdet wrote:
>> It's better with patches…
>>> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet <m...@gandi.net 
>>> <mailto:m...@gandi.net>> a écrit :
>>> Hi,
>>> Following the first patch series (included).
>>> The goal is to deduplicate common certificates in memory and in shared pem 
>>> files.
>>> PATCH 7/8 is only for boringssl (directive to dedup certificate in memory 
>>> for ctx)
>>> Last patch should be the more interesting:
>>> [PATCH 8/8] MINOR: ssl: add "issuer-path" directive.
>>> Certificates loaded with "crt" and "crt-list" commonly share the same
>>> intermediate certificate in PEM file. "issuer-path" is a global
>>> directive to share intermediate certificate in a directory. If
>>> certificate chain is not included in certificate PEM file, haproxy
>>> will complete chain if issuer match the first certificate of the chain
>>> stored via "issuer-path" directive. Such chains will be shared in ssl
>>> shared memory.
>>> . "issuer-path" directive can be set several times.
>>> . only sha1 key identifier is supported (rfc5280 (1))
>>> If you want to test it, the patch series can be apply to haproxy-dev or 
>>> haproxy-1.9.
>>> Feedbacks are welcome :)
>>> ++
>>> Manu
> We have to double check this patches proposal because we have a pending 
> feature in roadmap which could heavily collide: to load only one time a 
> certificate per fs entry.
> For us it is a mandatory feature to allow a clean "hot" update of 
> certificates. (the key to identify a certificate to update will be the path 
> on the fs, or at least, the base path)
> Emeric

Interesting, i have some questions about this feature, i will wait. With fs 
entry only it can conflict with crt-list.

I think it should not heavily collide. Some conflicts with code refactoring for 
sure, issuer sharing feature should be complementary.


Reply via email to