Hi William > Le 14 févr. 2020 à 15:59, William Lallemand <wlallem...@haproxy.com> a écrit : > > On Fri, Feb 14, 2020 at 03:25:48PM +0100, Emmanuel Hocdet wrote: >> Hi, >> >> Is there any hope that this proposal will be considered before HAproxy 2.2? >> >> ++ >> Manu > > Hello, > > I'm ok with the feature itself. I'm still not fond of an > "auto-discovery" based on the SKID, but I agree that's probably the most > convenient way of doing it for the user. > great news
> The way it's done we won't be able to change the issuers from the CLI > easily, but these files don't change too often so that's not a problem > at the moment. > I agree. > Can you add a little bit of explanation on how the discovery of the > issuer is done in the documentation? > ok > I think we will probably need more information in the "show ssl cert" > output in the future so the users can debug this kind of feature easily. > Yes. Show the chain-filename would be very helpful. For that i think a good way would be to keep ckch->chain and ckch->issuer with value (or NULL) from PEM/<payload>, and resolve chain and ocsp_issuer when needed. « show ssl cert » will be able to find the origin of chain (and ocsp_issuer) without store a new state. The drawback(?) is that .issuer file will be loaded, in every case, if present. Something like i do for ‘chain’ directive POC: https://github.com/ehocdet/haproxy/commits/chain ++ Manu
