Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi William, > Le 27 janv. 2020 à 16:55, Emmanuel Hocdet a écrit : >> >> With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain >> bar.pem]’, >> deduplicate chain look like deduplicate ca-file. >> Find ocsp_issuer with this chain doesn’t work directly, but it seems doable. >>

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi William, > > With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain > bar.pem]’, > deduplicate chain look like deduplicate ca-file. > Find ocsp_issuer with this chain doesn’t work directly, but it seems doable. > For CLI, reload cert when chain is updated seem also

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

On Sat, Jan 25, 2020 at 6:31 PM William Lallemand wrote: > There is no limitation with the chroot since the file is uploaded over the > CLI. > If you use the "set ssl cert" and "commit ssl cert" commands over the CLI the > chroot option is not suppose to affect these. > > Do you have an example

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

On Sat, Jan 25, 2020 at 04:59:42PM +, William Dauchy wrote: > On Fri, Jan 24, 2020 at 4:40 PM William Lallemand > wrote: > > What we are trying to do with the certificates and the CLI, is to be able > > to do > > a 'reload' of the filesystem, but without reloading haproxy. You could > >

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

On Fri, Jan 24, 2020 at 4:40 PM William Lallemand wrote: > What we are trying to do with the certificates and the CLI, is to be able to > do > a 'reload' of the filesystem, but without reloading haproxy. You could imagine > an haproxy helper (let's say `haproxyctl cert reload`) that will scan

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

> Le 24 janv. 2020 à 16:38, William Lallemand a écrit : > > On Fri, Jan 24, 2020 at 01:22:05PM +0100, Emmanuel Hocdet wrote: >> >> Hi William, >> > Hello Manu! > >>> Le 23 janv. 2020 à 16:20, William Lallemand a >>> écrit : >>> >>> That's not a good idea to be able to add a new path to

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

On Fri, Jan 24, 2020 at 01:22:05PM +0100, Emmanuel Hocdet wrote: > > Hi William, > Hello Manu! > > Le 23 janv. 2020 à 16:20, William Lallemand a > > écrit : > > > > That's not a good idea to be able to add a new path to the list each time > > this > > keyword is found, this is not how the

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi Tim, > Le 23 janv. 2020 à 17:21, Tim Düsterhus a écrit : > > Manu, > > Am 21.01.20 um 12:42 schrieb Emmanuel Hocdet: >> Patches updated, depend on "[PATCH] BUG/MINOR: ssl: >> ssl_sock_load_pem_into_ckch is not consistent" > > Out of curiosity: > >> +issuer-path >> + Assigns a directory

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi William, > Le 23 janv. 2020 à 16:20, William Lallemand a écrit : > > On Tue, Jan 21, 2020 at 12:42:04PM +0100, Emmanuel Hocdet wrote: >> Hi, >> >> Patches updated, depend on "[PATCH] BUG/MINOR: ssl: >> ssl_sock_load_pem_into_ckch is not consistent" >> > > Hello, > > It could be great

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Manu, Am 21.01.20 um 12:42 schrieb Emmanuel Hocdet: > Patches updated, depend on "[PATCH] BUG/MINOR: ssl: > ssl_sock_load_pem_into_ckch is not consistent" Out of curiosity: > +issuer-path > + Assigns a directory to load certificate chain for issuer completion. All > + files must be in PEM

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

On Tue, Jan 21, 2020 at 12:42:04PM +0100, Emmanuel Hocdet wrote: > Hi, > > Patches updated, depend on "[PATCH] BUG/MINOR: ssl: > ssl_sock_load_pem_into_ckch is not consistent" > > ++ > Manu > Hello, It could be great to share more of the certificates in memory, but some points are confusing

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi,Patches updated, depend on "[PATCH] BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent"++ManuLe 10 avr. 2019 à 13:23, Emmanuel Hocdet a écrit :Hi,Updated patch serie:Fix OpenSSL < 1.0.2 compatibilty.More generic key for issuers ebtree.++Manu

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi, Updated patch serie: Fix OpenSSL < 1.0.2 compatibilty. More generic key for issuers ebtree. ++ Manu 0001-REORG-ssl-promote-cert_key_and_chain-handling.patch Description: Binary data 0002-MINOR-ssl-use-STACK_OF-for-chain-certs.patch Description: Binary data

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi Emeric, > Le 7 janv. 2019 à 18:11, Emeric Brun a écrit : > > Hi Manu, > > On 1/7/19 5:59 PM, Emmanuel Hocdet wrote: >> It's better with patches… >> >>> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet >> > a écrit : >>> >>> Hi, >>> >>> Following the first patch series

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi Manu, On 1/7/19 5:59 PM, Emmanuel Hocdet wrote: > It's better with patches… > >> Le 7 janv. 2019 à 17:57, Emmanuel Hocdet > > a écrit : >> >> Hi, >> >> Following the first patch series (included). >> The goal is to deduplicate common certificates in memory and in shared

Re: [PATCH] ssl certificates load speedup and dedup (pem/ctx)

It's better with patches…Le 7 janv. 2019 à 17:57, Emmanuel Hocdet a écrit :Hi,Following the first patch series (included).The goal is to deduplicate common certificates in memory and in shared pem files.PATCH 7/8 is only for boringssl (directive to dedup certificate in memory for

[PATCH] ssl certificates load speedup and dedup (pem/ctx)

Hi, Following the first patch series (included). The goal is to deduplicate common certificates in memory and in shared pem files. PATCH 7/8 is only for boringssl (directive to dedup certificate in memory for ctx) Last patch should be the more interesting: [PATCH 8/8] MINOR: ssl: add