> Le 3 déc. 2018 à 23:05, Lukas Tribus <li...@ltri.eu> a écrit :
>
> Hello Mildis,
>
>
> On Mon, 3 Dec 2018 at 22:19, Mildis <m...@mildis.org> wrote:
>>
>> Hi,
>>
>> I'm using 1.8.14 and I tried to follow
>> https://www.haproxy.com/blog/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/
>> but all I'm getting in the log is
>
> I'd recommend to ignore this blog post. Haproxy can do ECC/RSA cert
> switching itself since some time now and I have some doubts about
> req.ssl_ec_ext still actually correctly matching ECC support with
> todays browsers and TLS stacks.
>
> Read the docs about the crt keyword:
> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt
>
> The gist of it is that:
> "crt example.pem" loads "example.pem.ecdsa" as ECC and
> "example.pem.rsa" as RSA certificate, and selects the correct one
> based on client support (by actually using the correct openssl
> features, not payload matching in TCP mode). This makes it easy to
> implement ECC/RSA switching without a dedicated TCP based
> frontend/backend.
>
Thanks Lukas.
I knew I saw something like that in the docs since 1.6 but an official blog
note had priority on my mind :)
Maybe amending the post could help others wandering around the web for a
solution ...
