Re: RSA & ECC certificates bundling on the same ip with aws-lc
Hello William, Thanks for the prompt reply. So, as 3.1 is not LTS version, that would mean we would need to wait for release of 3.2 which is hopefully soon Thanks again! On 08/01/2025 16:31, William Lallemand wrote: Hello Andrii, On Wed, Jan 08, 2025 at 04:23:56PM +0100, Andrii Ustymenko wrote: Dear list, As of now haproxy supports hosting different types of certificates on the same ip with certificates bundling: https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files That works fine with Openssl library, but doesn't seem to work with aws-lc ssl library. When haproxy is built with aws-lc ssl haproxy is able to use only one certificate per endpoint. I have tried the following configurations with aws-lc ssl: 1) Multiple crt and ciphers in bind: /bind 0.0.0.0:443 ssl crt example-rsa.pem crt example-esdsa.pem/ In this case the first declared certificate is used. Depending on the order it can be ecc or rsa 2) Bundling as described in https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files: /bind 0.0.0.0:443 ssl crt example.pem/ And two files with certificate extensions: /example.pem.ecdsa example.pem.rsa/ In this case always ecc (ecdsa) certificate is being used. Both examples above work fine with openssl Are there any other options to try? Thanks! We are still working on improving the AWS-LC support in HAProxy, and some of the features require an up to date version. We try to detail our progress on this page: https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status The ECDSA+RSA selection requires HAProxy 3.1 and an up to date AWS-LC version, you won't be able to make it work with haproxy 3.0. Regards, -- Best regards, Andrii Ustymenko
Re: RSA & ECC certificates bundling on the same ip with aws-lc
Hello Andrii, On Wed, Jan 08, 2025 at 04:23:56PM +0100, Andrii Ustymenko wrote: > Dear list, > > As of now haproxy supports hosting different types of certificates on the > same ip with certificates bundling: > https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files > > That works fine with Openssl library, but doesn't seem to work with aws-lc > ssl library. > > When haproxy is built with aws-lc ssl haproxy is able to use only one > certificate per endpoint. > > I have tried the following configurations with aws-lc ssl: > > 1) Multiple crt and ciphers in bind: > > /bind 0.0.0.0:443 ssl crt example-rsa.pem crt example-esdsa.pem/ > > In this case the first declared certificate is used. Depending on the order > it can be ecc or rsa > > 2) Bundling as described in > https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files: > > /bind 0.0.0.0:443 ssl crt example.pem/ > > And two files with certificate extensions: > > /example.pem.ecdsa > example.pem.rsa/ > > In this case always ecc (ecdsa) certificate is being used. > > Both examples above work fine with openssl > > Are there any other options to try? > > Thanks! We are still working on improving the AWS-LC support in HAProxy, and some of the features require an up to date version. We try to detail our progress on this page: https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status The ECDSA+RSA selection requires HAProxy 3.1 and an up to date AWS-LC version, you won't be able to make it work with haproxy 3.0. Regards, -- William Lallemand
RSA & ECC certificates bundling on the same ip with aws-lc
Dear list, As of now haproxy supports hosting different types of certificates on the same ip with certificates bundling: https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files That works fine with Openssl library, but doesn't seem to work with aws-lc ssl library. When haproxy is built with aws-lc ssl haproxy is able to use only one certificate per endpoint. I have tried the following configurations with aws-lc ssl: 1) Multiple crt and ciphers in bind: /bind 0.0.0.0:443 ssl crt example-rsa.pem crt example-esdsa.pem/ In this case the first declared certificate is used. Depending on the order it can be ecc or rsa 2) Bundling as described in https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files: /bind 0.0.0.0:443 ssl crt example.pem/ And two files with certificate extensions: /example.pem.ecdsa example.pem.rsa/ In this case always ecc (ecdsa) certificate is being used. Both examples above work fine with openssl Are there any other options to try? Thanks! -- Best regards, Andrii Ustymenko
