Hello William,

Thanks for the prompt reply.

So, as 3.1 is not LTS version, that would mean we would need to wait for release of 3.2 which is hopefully soon

Thanks again!

On 08/01/2025 16:31, William Lallemand wrote:
Hello Andrii,

On Wed, Jan 08, 2025 at 04:23:56PM +0100, Andrii Ustymenko wrote:
Dear list,

As of now haproxy supports hosting different types of certificates on the
same ip with certificates bundling:
https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files

That works fine with Openssl library, but doesn't seem to work with aws-lc
ssl library.

When haproxy is built with aws-lc ssl haproxy is able to use only one
certificate per endpoint.

I have tried the following configurations with aws-lc ssl:

1) Multiple crt and ciphers in bind:

/bind 0.0.0.0:443 ssl crt example-rsa.pem crt example-esdsa.pem/

In this case the first declared certificate is used. Depending on the order
it can be ecc or rsa

2) Bundling as described in
https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files:

/bind 0.0.0.0:443 ssl crt example.pem/

And two files with certificate extensions:

/example.pem.ecdsa
example.pem.rsa/

In this case always ecc (ecdsa) certificate is being used.

Both examples above work fine with openssl

Are there any other options to try?

Thanks!
We are still working on improving the AWS-LC support in HAProxy, and some of 
the features require an up to date version.
We try to detail our progress on this page: 
https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status

The ECDSA+RSA selection requires HAProxy 3.1 and an up to date AWS-LC version, 
you won't be able to make it work with
haproxy 3.0.

Regards,


--

Best regards,

Andrii Ustymenko



Reply via email to