roxy@formilux.org
> Subject: Re: HAProxy with native SSL support !
>
> On Tue, Sep 04, 2012 at 06:52:24PM +0200, Lukas Tribus wrote:
> > A few more comments about (C)yassl:
> >
> > - development of new features is obviously not as fast as in OpenSSL. For
> > ex
A few links on our blogs related to Willy's mail and your problem:
- SSLID persistence:
http://blog.exceliance.fr/2011/07/04/maintain-affinity-based-on-ssl-session-id/
- Content switching based on SNI in HAProxy:
http://blog.exceliance.fr/2012/04/13/enhanced-ssl-load-balancing-with-server-name-i
Hi David,
On Wed, Sep 12, 2012 at 10:07:58PM +, David Torgerson wrote:
> haproxy SSL termination... Awesome!!
>
> I have been in the process of replacing our hardware appliances with a
> software
> based solution running in a virtualized environment.
>
> We currently have a project ru
haproxy SSL termination... Awesome!!
I have been in the process of replacing our hardware appliances with a software
based solution running in a virtualized environment.
We currently have a project running in semi-beta mode to a closed set of users.
Our current load is around 2500 new ssl
Hi Guillaume,
On Tue, Sep 04, 2012 at 09:16:17AM +0200, Willy Tarreau wrote:
> Hi,
>
> On Tue, Sep 04, 2012 at 09:12:53AM +0200, Guillaume Castagnino wrote:
> > Hi,
> >
> > Great news !
> > Just one question: is SNI support planned ? This would be great to allow
> > one certificate per named vh
Hey Willy and the rest of Exceliance team,
Awesome work, you guys rock!
So looking forward to trying this on my systems.
.pelle
On Tue, Sep 4, 2012 at 1:37 AM, Willy Tarreau wrote:
> Hi all,
>
> today is a great day (could say night considering the time I'm posting) !
>
> After several months
> -(C)yassl doesn't support - by design - renegotiation. They also don't
> implement RFC4756 (secure renegotiation), see [3]. While this is not
> a security problem (from a server point of view), it will become an
> interoperability problem sooner or later, once browser vendors "ma
On Tue, Sep 04, 2012 at 06:52:24PM +0200, Lukas Tribus wrote:
> A few more comments about (C)yassl:
>
> - development of new features is obviously not as fast as in OpenSSL. For
> example TLS SNI is not supported yet (ETA: next release) [1]. This feature
> was introduced in 2007 (0.9.8f
Hi Justin,
On Tue, Sep 04, 2012 at 09:45:39AM -0700, Justin Karneges wrote:
> Usually, the most expensive operations in TLS are the public key ones at the
> start of a negotiation (and possibly a renegotiation, though I'm not sure of
> protocol details there). However, pretty much all other TLS
Hi,
> In fact when I say "yassl", I really mean "CyaSSL".
Ok, great.
A few more comments about (C)yassl:
- development of new features is obviously not as fast as in OpenSSL. For
example TLS SNI is not supported yet (ETA: next release) [1]. This feature
was introduced in 2007 (0.9
On Tuesday, September 04, 2012 08:41:44 AM Willy Tarreau wrote:
> On Mon, Sep 03, 2012 at 11:21:51PM -0700, Justin Karneges wrote:
> > On Tuesday, September 04, 2012 01:37:17 AM Willy Tarreau wrote:
> > > After several months of efforts by the Exceliance team, we managed to
> > > rework all the buf
Great ! Thanks to the team ! :-)
2012/9/4 Willy Tarreau
> On Tue, Sep 04, 2012 at 04:12:43PM +0200, Lukas Tribus wrote:
> > > However if we see a much higher performance level by using the native
> API,
> > > we'd probably write a 3rd data layer dedicated to yassl, and would
> probably
> > > re
On Tue, Sep 04, 2012 at 04:12:43PM +0200, Lukas Tribus wrote:
> > However if we see a much higher performance level by using the native API,
> > we'd probably write a 3rd data layer dedicated to yassl, and would probably
> > rename the current SSL data layer so that we can choose the one we want at
--
> Date: Tue, 4 Sep 2012 15:26:24 +0200
> From: w...@1wt.eu
> To: luky...@hotmail.com
> CC: haproxy@formilux.org
> Subject: Re: HAProxy with native SSL support !
>
> Hi Lukas,
>
> On Tue, Sep 04, 2012 at 03:05:14PM +0200, Lukas Tribus wrote:
> &g
Hi David,
On Tue, Sep 04, 2012 at 03:15:13PM +0200, David BERARD wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi,
>
> On 04/Sep - 01:37, Willy Tarreau wrote:
> >| Have a lot of fun and please report your success/failures,
> >| Willy
>
> Thanks a lot for this useful feature. It
Hi Lukas,
On Tue, Sep 04, 2012 at 03:05:14PM +0200, Lukas Tribus wrote:
> Willy, this is huge! Great, great work!
>
> A few comments/questions:
>
> - are you running latest and greatest openssl on demo.1wt.eu? I am asking
> because Secure Renegotiation doesn't seem to be supported [1]. Older
> (
Emeric reported that the build fails without USE_OPENSSL, which is caused
by a last-minute change I did yesterday evening. It shows up as "ssl_cert"
not being part of a structure.
If you get this, please use the attached patch.
Regards,
Willy
>From ff9f7698fcefef66bceb1ec32a3da8b14947a594 Mon Se
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On 04/Sep - 01:37, Willy Tarreau wrote:
>| Have a lot of fun and please report your success/failures,
>| Willy
Thanks a lot for this useful feature. It works well on a dual PPC64 Linux
server.
I wrote a small path to add the SSL_OP_CIPHER_SERV
Willy, this is huge! Great, great work!
A few comments/questions:
- are you running latest and greatest openssl on demo.1wt.eu? I am asking
because Secure Renegotiation doesn't seem to be supported [1]. Older (<1.0.0?)
releases seem to have a higher memory overhead as well, iirc.
- I see you h
Hi Joris,
On Tue, Sep 04, 2012 at 01:45:29PM +0200, joris dedieu wrote:
> Hi, Willy
>
> Thanks for this long time expected feature !
>
> >
> > Have a lot of fun and please report your success/failures,
>
> There is an include issue in this snapshot on FreeBSD (witch is not I
> think ssl related
Hi, Willy
Thanks for this long time expected feature !
>
> Have a lot of fun and please report your success/failures,
There is an include issue in this snapshot on FreeBSD (witch is not I
think ssl related) :
gmake TARGET=freebsd USE_OPENSSL=1
gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-al
Congratulations Willy and Team...
On Tue, Sep 4, 2012 at 3:59 PM, Willy Tarreau wrote:
> On Tue, Sep 04, 2012 at 05:56:14PM +1000, Duncan Hall wrote:
> > On 04/09/12 09:37, Willy Tarreau wrote:
> > >
> > >Have a lot of fun and please report your success/failures,
> > >Willy
> > >
> > >
> >
> > S
On Tue, Sep 04, 2012 at 05:56:14PM +1000, Duncan Hall wrote:
> On 04/09/12 09:37, Willy Tarreau wrote:
> >
> >Have a lot of fun and please report your success/failures,
> >Willy
> >
> >
>
> Small issue when compiling on CentOS 5.8 64bit against RPM versions of
> openssl-devel and e2fsprogs-devel-
All,
A small howto to play with it can be found here:
http://blog.exceliance.fr/2012/09/04/howto-ssl-native-in-haproxy/
cheers
Great!
Thanks Willy,
De: Willy Tarreau
Para: haproxy@formilux.org
Enviado: Martes 4 de septiembre de 2012 1:37
Asunto: HAProxy with native SSL support !
Hi all,
today is a great day (could say night considering the time I'm posting) !
After several months
On 04/09/12 09:37, Willy Tarreau wrote:
Have a lot of fun and please report your success/failures,
Willy
Small issue when compiling on CentOS 5.8 64bit against RPM versions of
openssl-devel and e2fsprogs-devel-1.39-34.el5_8.1 I get the following:
make TARGET=linux2628 USE_OPENSSL=1
gcc -I
Le mar. 04 sept. 2012 09:12:53 CEST, Guillaume Castagnino a écrit :
Hi,
Great news !
Just one question: is SNI support planned ? This would be great to allow
one certificate per named vhost.
I'm currently stuck with nginx for the SSL layer because of this feature
(I know that stunnel and stud re
Hi,
On Tue, Sep 04, 2012 at 09:12:53AM +0200, Guillaume Castagnino wrote:
> Hi,
>
> Great news !
> Just one question: is SNI support planned ? This would be great to allow
> one certificate per named vhost.
Yes it's planned but not done yet. Emeric sees how to implement this but
we wanted to pr
Hi,
Great news !
Just one question: is SNI support planned ? This would be great to allow
one certificate per named vhost.
I'm currently stuck with nginx for the SSL layer because of this feature
(I know that stunnel and stud recently get this feature, but not yet
tested). This would allow me t
Hi Willy,
congratulations to the whole Team.
Thanks for this feature, now the SSL-chain is much simpler ;-)
BR
Aleks
Am 04-09-2012 01:37, schrieb Willy Tarreau:
Hi all,
today is a great day (could say night considering the time I'm
posting) !
After several months of efforts by the Excelia
On Mon, Sep 03, 2012 at 11:21:51PM -0700, Justin Karneges wrote:
> On Tuesday, September 04, 2012 01:37:17 AM Willy Tarreau wrote:
> > After several months of efforts by the Exceliance team, we managed to
> > rework all the buffer and connection layers in order to get SSL working
> > on both sides
On Tuesday, September 04, 2012 01:37:17 AM Willy Tarreau wrote:
> After several months of efforts by the Exceliance team, we managed to
> rework all the buffer and connection layers in order to get SSL working
> on both sides of HAProxy.
Very cool.
Since HAProxy is event-driven, is anything done
What a great news !
Let's go testing on internal applications.
Congrats to the Exceliance team !
Hervé.
On 09/04/2012 08:12 AM, Willy Tarreau wrote:
> Just for the few who have already downloaded it, I have re-uploaded
> the snapshot with a fix (I failed my attempt at automatically renaming
> i
Just for the few who have already downloaded it, I have re-uploaded
the snapshot with a fix (I failed my attempt at automatically renaming
it so it ended up with the same name).
There was a bug affecting the combination of accept-proxy + ssl which
I just fixed.
Regards,
Willy
Awesome news ! I have been waiting for this for a while. :)
On Sep 3, 2012, at 4:37 PM, Willy Tarreau wrote:
> Hi all,
>
> today is a great day (could say night considering the time I'm posting) !
>
> After several months of efforts by the Exceliance team, we managed to
> rework all the buffer
Great day indeed, can't wait to do some tests.
Thanks
On 3 September 2012 20:37, Willy Tarreau wrote:
> Hi all,
>
> today is a great day (could say night considering the time I'm posting) !
>
> After several months of efforts by the Exceliance team, we managed to
> rework all the buffer and conn
36 matches
Mail list logo