Re: Logging SSL pre-master-key

2017-06-12 Thread Patrick Hemmer
On 2017/6/12 15:14, Lukas Tribus wrote: > Hello, > > > Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: >> Would we be able to get a new sample which provides the SSL session >> master-key? >> This is so that when performing packet captures with ephemeral ciphers >> (DHE), we can decrypt the

Re: Logging SSL pre-master-key

2017-06-12 Thread Lukas Tribus
Hello, Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: > Would we be able to get a new sample which provides the SSL session > master-key? > This is so that when performing packet captures with ephemeral ciphers > (DHE), we can decrypt the traffic in the capture. There is no master key. What you

Logging SSL pre-master-key

2017-06-12 Thread Patrick Hemmer
Would we be able to get a new sample which provides the SSL session master-key? This is so that when performing packet captures with ephemeral ciphers (DHE), we can decrypt the traffic in the capture. -Patrick

Re: Feature request: disable CA/distinguished names.

2017-06-12 Thread Emmanuel Hocdet
Thanks for the explanation. I think a parameter like ‘no-ca-names’ could do the job, or you have a better name? Manu > Le 12 juin 2017 à 14:32, Wolvers, Bas a écrit : > > If you connect to a haproxy TLS server with CA names on (verify optional or > required) part

[PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-06-12 Thread Emmanuel Hocdet
In haproxy 1.8dev, default certificate can now be optional. This patch allow that. Manu 0001-MEDIUM-ssl-allow-haproxy-to-start-without-default-ce.patch Description: Binary data > Le 29 mai 2017 à 11:09, Emmanuel Hocdet a écrit : > > > Hi Simos, > > The workaround is to

RE: Feature request: disable CA/distinguished names.

2017-06-12 Thread Wolvers, Bas
If you connect to a haproxy TLS server with CA names on (verify optional or required) part of the server hello message is the list of CA's that are accepted. The client can use this list to decide which certificate to send as its client certificate. The problem arises when this list if long,

Re: Feature request: disable CA/distinguished names.

2017-06-12 Thread Emmanuel Hocdet
I don't understand. CA certs are loaded by haproxy when needed: i.e if 'ca-file’ parameter is used and ‘verify’ is set to ‘optional’ or ‘required’. > Le 12 juin 2017 à 13:00, Wolvers, Bas a écrit : > > For setups with large amounts of CA certs it can be a really good

Backend Sessions Limit

2017-06-12 Thread Pavel Mádr
Hello, Please, explain me field Limit of Backend Sessions on stats page. There is value 200 there always. I can't find any argument for changing it. I used to use version 1.4 and it showed 0 for that limit. I tried to send a lot of requests and Max Sessions on Backend was e.g. 900 but limit 200.

Feature request: disable CA/distinguished names.

2017-06-12 Thread Wolvers, Bas
For setups with large amounts of CA certs it can be a really good idea to turn off CA names in the key exchange. As far as I understand it is optional to send CA names, and it works fine with these turned off. This is also called distinguished names. To do this a single line should not be