Dear all, We are now using the new feature of adding CA files dynamically via the stats / admin socket.
Assuming that the CA file does not exist yet, our understanding is that we: 1. Create a CA file (new ssl ca-file customer-cas.pem) 2. Set the content of the CA file with payload notation; "set ssl ca-file customer-cas.pem <<\n[a bunch of PEM blocks]\n” 3. Commit the CA file (commit ssl ca-file customer-cas.pem) In step 2 we are reaching the limit of the global buffer size (defined via tune.bufsize, ours is tuned to ca. 71k, allowing for a comfortable 64k of headers). Some of the CA files that we want to add are larger than this buffer and are not properly processed by the CLI. It is understandable that the CLI socket needs some buffer and that this buffer is limited. That said, reading the CA files data from disk does not pose any (perceivable) size limit. We recently implemented a dynamic update to avoid having to reload the HAProxy process whenever there was a change, and ran into this issue. We’ve added a feature request on GitHub: https://github.com/haproxy/haproxy/issues/1805 This e-mail is to ask whether maybe we have overlooked something in terms of configuration possibilities, either for the socket or on how to use the CLI for creating ca-files? Thanks in advance, Alex