On Tue, Jul 26, 2022 at 03:04:41PM +0000, Lais, Alexander wrote:
> Dear all,
>
> We are now using the new feature of adding CA files dynamically via the stats
> / admin socket.
>
> Assuming that the CA file does not exist yet, our understanding is that we:
>
> 1. Create a CA file (new ssl ca-file customer-cas.pem)
>
> 2. Set the content of the CA file with payload notation;
> "set ssl ca-file customer-cas.pem <<\n[a bunch of PEM blocks]\n”
>
> 3. Commit the CA file (commit ssl ca-file customer-cas.pem)
>
> In step 2 we are reaching the limit of the global buffer size (defined via
> tune.bufsize, ours is tuned to ca. 71k, allowing for a comfortable 64k of
> headers).
> Some of the CA files that we want to add are larger than this buffer and are
> not properly processed by the CLI.
>
> It is understandable that the CLI socket needs some buffer and that this
> buffer is limited.
> That said, reading the CA files data from disk does not pose any
> (perceivable) size limit. We recently implemented a dynamic update to avoid
> having to reload the HAProxy process whenever there was a change, and ran
> into this issue.
>
> We’ve added a feature request on GitHub:
> https://github.com/haproxy/haproxy/issues/1805
>
> This e-mail is to ask whether maybe we have overlooked something in terms of
> configuration possibilities, either for the socket or on how to use the CLI
> for creating ca-files?
>
You are indeed reaching a limitation of the current system, I'll reply
directly on your feature request.
Thanks,
--
William Lallemand