Hey guys,
Happy new year!
I¹ve attached a patch to fix formatting issues in the doc for my section:
Thanks!
-Dave
On 12/15/15, 1:13 AM, "Willy Tarreau" wrote:
>Hi Lukas,
>
>On Tue, Dec 15, 2015 at 01:44:18AM +0100, Lukas Tribus wrote:
>> Hey guys,
>>
>> thanks everyone
Sorry for the spam, just found another error.
New patch attached.
-Dave
On 1/5/16, 12:56 PM, "Dave Zhu (yanbzhu)" <yanb...@cisco.com> wrote:
>Hey guys,
>
>Happy new year!
>
>I¹ve attached a patch to fix formatting issues in the doc for my section:
>
>Tha
On 12/14/15, 5:27 AM, "Willy Tarreau" <w...@1wt.eu> wrote:
>Hi guys,
>
>On Thu, Dec 10, 2015 at 09:29:57PM +0100, Janusz Dziemidowicz wrote:
>> 2015-12-10 21:14 GMT+01:00 Dave Zhu (yanbzhu) <yanb...@cisco.com>:
>> > Finished OCSP portion. It???s in
at 10:32:02PM +, Dave Zhu (yanbzhu) wrote:
>> Hey Willy,
>>
>> On 12/8/15, 5:27 PM, "Willy Tarreau" <w...@1wt.eu> wrote:
>> >
>> >In my opinion, these suffixes should be used only after the real cert
>> >file name. So when you load &quo
Hey Willy,
On 12/8/15, 5:40 PM, "Willy Tarreau" wrote:
>>>I do think so. We'll just have to remerge 4, 5 and 6 into their
>>>respective
>> >patches (2 apparently) and we're good to go. If Emeric doesn't raise
>>any
>> >objection (apparently you addressed his concerns) I can merge
etting the RSA certificate.
-Bryan
On Mon, Dec 7, 2015 at 1:44 PM, Willy Tarreau <w...@1wt.eu<mailto:w...@1wt.eu>>
wrote:
On Mon, Dec 07, 2015 at 08:48:53PM +, Dave Zhu (yanbzhu) wrote:
> Hey Willy
>
> On 12/7/15, 3:11 PM, "Willy Tarreau" <w...@1wt.eu&l
connect AND
negotiate and use the 256 bit ECDSA certificate and not the RSA cert. My tests
always show the ECC capable client still getting the RSA certificate.
-Bryan
On Mon, Dec 7, 2015 at 1:44 PM, Willy Tarreau <w...@1wt.eu<mailto:w...@1wt.eu>>
wrote:
On Mon, Dec 07, 201
Hey Willy,
On 12/8/15, 5:27 PM, "Willy Tarreau" wrote:
>
>In my opinion, these suffixes should be used only after the real cert
>file name. So when you load "foobar.ecdsa", you should only consider
>"foobar.ecdsa.ocsp" and so on. And from what I remember, on the CLI
>we mention the
mailto:ni...@nimzo.info>>,
"haproxy@formilux.org<mailto:haproxy@formilux.org>"
<haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching
On Tue, Dec 8, 2015 at 11:18 AM, Dave Zhu (yanbzhu)
<yanb.
ching
On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot
<bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> wrote:
On Fri, Dec 4, 2015 at 6:15 AM, Dave Zhu (yanbzhu)
<yanb...@cisco.com<mailto:yanb...@cisco.com>> wrote:
Hey Bryan,
it’s strange that it’s always loading the ECC cert. I j
based SSL CTX switching
On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot
<bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> wrote:
On Fri, Dec 4, 2015 at 6:15 AM, Dave Zhu (yanbzhu)
<yanb...@cisco.com<mailto:yanb...@cisco.com>> wrote:
Hey Bryan,
it’s strange tha
.com>>,
"haproxy@formilux.org<mailto:haproxy@formilux.org>"
<haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching
On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot
<bryan.tal...@ijji.com<mailto:b
here so people don’t have to track them down. Patches
1,2, and 3 are identical to the original.
Please take a look.
-Dave
On 12/3/15, 2:35 PM, "Willy Tarreau" <w...@1wt.eu> wrote:
>On Thu, Dec 03, 2015 at 07:24:10PM +, Dave Zhu (yanbzhu) wrote:
>> HAProxy will
In my testing with a bind line of
bind :8443 ssl crt ./var/tls/localhost.pem
the ECC cert is loaded if it is in that directory no matter what the file name
is.
-Bryan
On Thu, Dec 3, 2015 at 2:15 PM, Bryan Talbot
<bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>> wrote:
On Thu
Hey Emeric,
I’m in the process of cleaning up the patches, indentation and style so
I’ll post up another set to the mailing list as Willy suggested.
-Dave
On 12/3/15, 9:56 AM, "Emeric Brun" <eb...@haproxy.com> wrote:
>On 12/02/2015 08:17 PM, Dave Zhu (yanbzhu) wrote:
>&g
Hey Willy
On 12/3/15, 1:40 AM, "Willy Tarreau" wrote:
>I didn't understand what you meant with this last sentence, it sounds like
>there could be multiple default contexts which are more or less randomly
>chosen so that confuses me.
Sorry if that was confusing. I was merely trying
Hey Willy
On 12/3/15, 1:34 PM, "Willy Tarreau" wrote:
>
>I'm sorry but I'm missing something. In which case could we have the
>choice
>between multiple SSL_CTX ? My understanding is that if the SNI is not
>found
>in the list, we currenlty fall back to the default cert. Now the
stored in memory instead of reading the file
multiple times.
This will be used to support a later commit to load multiple pkeys/certs
into a single SSL_CTX
On Thu, Dec 3, 2015 at 9:47 AM, Dave Zhu (yanbzhu)
<yanb...@cisco.com<mailto:yanb...@cisco.com>> wrote:
Hey Emer
Hey Emeric,
On 12/3/15, 9:56 AM, "Emeric Brun" wrote:
>
>But i notice some inconsistencies.
>
>Patch2 (crt conf keywoard):
>If the file without key extension is present, this file is loaded but
>also the multi_load is called.
>
>However in Patch3 (crt-list)
>If the file
.
Patch 1 - http://pastebin.com/B9KXnEZN
Patch 2 - http://pastebin.com/qFXq2Pbe
Patch 3 - http://pastebin.com/F9Y1N2YN
Please take a look.
-Dave
On 12/1/15, 10:09 AM, "Willy Tarreau" <w...@1wt.eu> wrote:
>Hi Dave,
>
>On Tue, Dec 01, 2015 at 03:04:21PM +, Dave Zhu (yanbz
Hey Willy,
On 8/25/15, 10:36 AM, Willy Tarreau w...@1wt.eu wrote:
This means that the RSA/DSA/ECDSA cert names must be derived from the
original cert name.
I¹ve thought of a way to avoid this behavior, with the end result being
very similar to what you/Emeric proposed.
What if we delayed the
Emeric,
Code initially use 'ctx-default_passwd_callback_userdata' to allow us to
manage a further way to manage passphrase via configuration.
As far as I could tell, this field was not getting set anywhere in the
code. It¹s set with SSL_CTX_set_default_passwd_cb, which I did not find in
the
Hey Emeric,
In 1.0.2, we can make use of API to load multiple certificate chains
into
a CTX. Prior to 1.0.2, you could not load the chains. So the checks
ensure
that we make use of the new APIs, and can then serve the correct
certificate to users based on the user¹s cipher suite.
I see,
Hey Willy
FWIW, some users ask that we can load a cert's passphrase from a file,
I was supposed to look at this but didn't have time, maybe the callback
above would be what will be needed for this, though I have no idea yet.
Willy
If that¹s the case, then we should definitely include the
Hey Emeric,
I think you don't notice that certificate in the wild card tree are not
stored using their fullnames (we exclude the '*' and start at the first
'.').
No I did not notice this, but I believe this is actually a good thing.
This way, crt-list entries with a filter will always get
On 8/21/15, 1:07 PM, Dave Zhu (yanbzhu) yanb...@cisco.com wrote:
Hey Emeric,
I think you don't notice that certificate in the wild card tree are not
stored using their fullnames (we exclude the '*' and start at the first
'.').
No I did not notice this, but I believe this is actually a good
Hey guys,
I haven’t gotten any feedback for this feature. Unless there’s severe
objections, I’ll go ahead and push this to up to master.
Thanks,
-Dave
On 7/7/15, 3:21 PM, Dave Zhu (yanbzhu) yanb...@cisco.com wrote:
Hey guys,
Sorry for the radio silence, other projects picked up and so I
Emeric responded here:
http://marc.info/?l=haproxym=143643724320705w=2
Not sure what you mean by pushing this to master...?
Lukas
I¹m so sorry for that. I did not get that email. Even though I am
subscribed to the list. IT must be filtering it somehow.
I¹ll use the website from now on.
Emeric responded here:
http://marc.info/?l=haproxym=143643724320705w=2
Not sure what you mean by pushing this to master...?
Lukas
I¹ve corrected the indentation to use tabs instead of spaces. Here¹s the
new diff:
Is there a better method to do code reviews other than using the mailing
list?
Hello all,
I’ve run into a situation where OpenSSL within haproxy needs to be put into
FIPS Mode (see links at bottom). The easiest way to do this is via a global
config option. This is pretty trivial to add.
Is there any interest in taking this feature into the main codebase? Are there
any
On 6/25/15, 5:17 AM, Remi Gacogne rgaco...@coredump.fr wrote:
Hey Remy, thanks for your feedback!
However, I have some concerns about the use of
SSL_set_session_secret_cb() for this feature, because it was clearly not
designed for this kind of manipulation. It has been removed from
BoringSSL
Hey,
Yes, sorry, I didn't realize it earlier but that's not true for all
OpenSSL versions. Starting with OpenSSL 1.0.0, tls1_process_ticket()
will decline decrypting session tickets sent by the client if the
session_secret_cb is in use:
if (s-tls_session_secret_cb)
Hey Willy,
Lukas explained it pretty well, but I can expound on it some more.
You can imagine a situation where HAProxy has 2 certificates of different
key types; one ECDSA and one RSA. In the current codebase, if no SNI is
used, the certificate that is used will be whichever certificate is the
I’ve coded up the functionality to check all of the intermediate
certificates to ensure that they match the private key of the crt file.
I’ve decided to toggle this functionality as a config option. Users can
either choose to disable this entire feature (default), match only the
private key/cert,
No, I do not handle that case at the moment. This is the kind of feedback
I¹m looking for so thanks!
I will start modifying the code to try to accommodate this.
Any thoughts on the version of OpenSSL to try to code to?
-Dave
On 6/24/15, 11:54 AM, Lukas Tribus luky...@hotmail.com wrote:
Does
On 6/24/15, 2:58 PM, Willy Tarreau w...@1wt.eu wrote:
What I'm understanding here is that instead of using SNI only as the key
to pick a cert, we want the (SNI, algo) combination. Coudln't we have two
certs per SNI entry ? One in RSA form, the other one in ECDSA, and only
provide what is supported
Hello all,
I have a proposed enhancement that I have coded up and would like your comments.
The idea behind this is that when HAProxy is used to terminate SSL, and is
configured with multiple certificates/keys with different key types (RSA,
ECDSA, DSA), it only serves up the first cert/key
37 matches
Mail list logo