Re: Cetrtificates dynamic update
Thanks for the confirmation ;) Thierry On Fri, 14 Oct 2016 12:13:21 +0200 Beluc wrote: > It would be great : tons of ssl that make haproxy very long to > start/restart/reload. > > 2016-10-11 10:04 GMT+02:00 Thierry Fournier : > > Hi list, > > > > I have for projet to write a dynamic update of the SSL certificates. I > > encountered some cases where haproxy deals with many websites, and it > > should ne great if we can replace / add certificate without restarting > > HAProxy. > > > > I'm looking for some opinions or advices. > > > > I need to: > > > > - list the currently loaded certificates ID (embedding ECDSA). > > > > - add or replace certificates embedding the 3 certificates version > >RSA/DSA/ECDSA and the sni filter. > > > > - Delete SNI entries (and the certificates if it is the last one) > > > > For the listing of the certificate, I need to scan the content of the > > OpenSSL SSL_CTX and extract the certificates ID. It seems impossible, > > Openssl not seems to give method fo doing this. So I proposed to > > memorize the certificates ID when each certificate is added in a > > SSL_CTX. > > > > For the list: > > > >show ssl [proxy/listener] > > > > This command lst all certificates by SNI for a listener. If the > > proxy/listener is not precised, the command list availables proxy, and > > listeners. > > > > > > For the replacement or update, I propose some CLI commands like this: > > > >set ssl certificate begin proxy/listener [sni filters] > > > > This commande creates a new SSL context will be filled with the > > following commands. If a previous context exists it is destroyed. This > > is incompatible with concurrent access to the cli. > > > >set ssl certificate (any|rsa|ecdsa|dsa) > > > >EOF > > > > The difficulty is to mark the end of the certificate, so I propose to > > mark en end with the string "\nEOF\n". > > > >set ssl certificate commit > > > > This command validates, install new certificates and remove old > > certificates. > > > > > > And finaly this command destroy existing certificate: > > > >del ssl certificate proxy/listener id > > > > Any ideas or comments ? > > > > Thanks > > Thierry > > > > -- > > Thierry Fournier > > m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io > > w: http://www.ozon.io/| b: http://blog.ozon.io/ > > >
Re: Cetrtificates dynamic update
It would be great : tons of ssl that make haproxy very long to start/restart/reload. 2016-10-11 10:04 GMT+02:00 Thierry Fournier : > Hi list, > > I have for projet to write a dynamic update of the SSL certificates. I > encountered some cases where haproxy deals with many websites, and it > should ne great if we can replace / add certificate without restarting > HAProxy. > > I'm looking for some opinions or advices. > > I need to: > > - list the currently loaded certificates ID (embedding ECDSA). > > - add or replace certificates embedding the 3 certificates version >RSA/DSA/ECDSA and the sni filter. > > - Delete SNI entries (and the certificates if it is the last one) > > For the listing of the certificate, I need to scan the content of the > OpenSSL SSL_CTX and extract the certificates ID. It seems impossible, > Openssl not seems to give method fo doing this. So I proposed to > memorize the certificates ID when each certificate is added in a > SSL_CTX. > > For the list: > >show ssl [proxy/listener] > > This command lst all certificates by SNI for a listener. If the > proxy/listener is not precised, the command list availables proxy, and > listeners. > > > For the replacement or update, I propose some CLI commands like this: > >set ssl certificate begin proxy/listener [sni filters] > > This commande creates a new SSL context will be filled with the > following commands. If a previous context exists it is destroyed. This > is incompatible with concurrent access to the cli. > >set ssl certificate (any|rsa|ecdsa|dsa) > >EOF > > The difficulty is to mark the end of the certificate, so I propose to > mark en end with the string "\nEOF\n". > >set ssl certificate commit > > This command validates, install new certificates and remove old > certificates. > > > And finaly this command destroy existing certificate: > >del ssl certificate proxy/listener id > > Any ideas or comments ? > > Thanks > Thierry > > -- > Thierry Fournier > m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io > w: http://www.ozon.io/| b: http://blog.ozon.io/ >
Cetrtificates dynamic update
Hi list, I have for projet to write a dynamic update of the SSL certificates. I encountered some cases where haproxy deals with many websites, and it should ne great if we can replace / add certificate without restarting HAProxy. I'm looking for some opinions or advices. I need to: - list the currently loaded certificates ID (embedding ECDSA). - add or replace certificates embedding the 3 certificates version RSA/DSA/ECDSA and the sni filter. - Delete SNI entries (and the certificates if it is the last one) For the listing of the certificate, I need to scan the content of the OpenSSL SSL_CTX and extract the certificates ID. It seems impossible, Openssl not seems to give method fo doing this. So I proposed to memorize the certificates ID when each certificate is added in a SSL_CTX. For the list: show ssl [proxy/listener] This command lst all certificates by SNI for a listener. If the proxy/listener is not precised, the command list availables proxy, and listeners. For the replacement or update, I propose some CLI commands like this: set ssl certificate begin proxy/listener [sni filters] This commande creates a new SSL context will be filled with the following commands. If a previous context exists it is destroyed. This is incompatible with concurrent access to the cli. set ssl certificate (any|rsa|ecdsa|dsa) EOF The difficulty is to mark the end of the certificate, so I propose to mark en end with the string "\nEOF\n". set ssl certificate commit This command validates, install new certificates and remove old certificates. And finaly this command destroy existing certificate: del ssl certificate proxy/listener id Any ideas or comments ? Thanks Thierry -- Thierry Fournier m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io w: http://www.ozon.io/| b: http://blog.ozon.io/