Dear all,
We are now using the new feature of adding CA files dynamically via the stats /
admin socket.
Assuming that the CA file does not exist yet, our understanding is that we:
1. Create a CA file (new ssl ca-file customer-cas.pem)
2. Set the content of the CA file with payload notation;
"set ssl ca-file customer-cas.pem <<\n[a bunch of PEM blocks]\n”
3. Commit the CA file (commit ssl ca-file customer-cas.pem)
In step 2 we are reaching the limit of the global buffer size (defined via
tune.bufsize, ours is tuned to ca. 71k, allowing for a comfortable 64k of
headers).
Some of the CA files that we want to add are larger than this buffer and are
not properly processed by the CLI.
It is understandable that the CLI socket needs some buffer and that this buffer
is limited.
That said, reading the CA files data from disk does not pose any (perceivable)
size limit. We recently implemented a dynamic update to avoid having to reload
the HAProxy process whenever there was a change, and ran into this issue.
We’ve added a feature request on GitHub:
https://github.com/haproxy/haproxy/issues/1805
This e-mail is to ask whether maybe we have overlooked something in terms of
configuration possibilities, either for the socket or on how to use the CLI for
creating ca-files?
Thanks in advance,
Alex
