Hi David,
On Wed, Sep 12, 2012 at 10:07:58PM +, David Torgerson wrote:
haproxy SSL termination... Awesome!!
I have been in the process of replacing our hardware appliances with a
software
based solution running in a virtualized environment.
We currently have a project running
A few links on our blogs related to Willy's mail and your problem:
- SSLID persistence:
http://blog.exceliance.fr/2011/07/04/maintain-affinity-based-on-ssl-session-id/
- Content switching based on SNI in HAProxy:
haproxy SSL termination... Awesome!!
I have been in the process of replacing our hardware appliances with a software
based solution running in a virtualized environment.
We currently have a project running in semi-beta mode to a closed set of users.
Our current load is around 2500 new ssl
Hi Guillaume,
On Tue, Sep 04, 2012 at 09:16:17AM +0200, Willy Tarreau wrote:
Hi,
On Tue, Sep 04, 2012 at 09:12:53AM +0200, Guillaume Castagnino wrote:
Hi,
Great news !
Just one question: is SNI support planned ? This would be great to allow
one certificate per named vhost.
Yes
-(C)yassl doesn't support - by design - renegotiation. They also don't
implement RFC4756 (secure renegotiation), see [3]. While this is not
a security problem (from a server point of view), it will become an
interoperability problem sooner or later, once browser vendors make
Hey Willy and the rest of Exceliance team,
Awesome work, you guys rock!
So looking forward to trying this on my systems.
.pelle
On Tue, Sep 4, 2012 at 1:37 AM, Willy Tarreau w...@1wt.eu wrote:
Hi all,
today is a great day (could say night considering the time I'm posting) !
After several
Just for the few who have already downloaded it, I have re-uploaded
the snapshot with a fix (I failed my attempt at automatically renaming
it so it ended up with the same name).
There was a bug affecting the combination of accept-proxy + ssl which
I just fixed.
Regards,
Willy
What a great news !
Let's go testing on internal applications.
Congrats to the Exceliance team !
Hervé.
On 09/04/2012 08:12 AM, Willy Tarreau wrote:
Just for the few who have already downloaded it, I have re-uploaded
the snapshot with a fix (I failed my attempt at automatically renaming
it
On Tuesday, September 04, 2012 01:37:17 AM Willy Tarreau wrote:
After several months of efforts by the Exceliance team, we managed to
rework all the buffer and connection layers in order to get SSL working
on both sides of HAProxy.
Very cool.
Since HAProxy is event-driven, is anything done to
On Mon, Sep 03, 2012 at 11:21:51PM -0700, Justin Karneges wrote:
On Tuesday, September 04, 2012 01:37:17 AM Willy Tarreau wrote:
After several months of efforts by the Exceliance team, we managed to
rework all the buffer and connection layers in order to get SSL working
on both sides of
Hi Willy,
congratulations to the whole Team.
Thanks for this feature, now the SSL-chain is much simpler ;-)
BR
Aleks
Am 04-09-2012 01:37, schrieb Willy Tarreau:
Hi all,
today is a great day (could say night considering the time I'm
posting) !
After several months of efforts by the
Hi,
Great news !
Just one question: is SNI support planned ? This would be great to allow
one certificate per named vhost.
I'm currently stuck with nginx for the SSL layer because of this feature
(I know that stunnel and stud recently get this feature, but not yet
tested). This would allow me
Hi,
On Tue, Sep 04, 2012 at 09:12:53AM +0200, Guillaume Castagnino wrote:
Hi,
Great news !
Just one question: is SNI support planned ? This would be great to allow
one certificate per named vhost.
Yes it's planned but not done yet. Emeric sees how to implement this but
we wanted to
Le mar. 04 sept. 2012 09:12:53 CEST, Guillaume Castagnino a écrit :
Hi,
Great news !
Just one question: is SNI support planned ? This would be great to allow
one certificate per named vhost.
I'm currently stuck with nginx for the SSL layer because of this feature
(I know that stunnel and stud
On 04/09/12 09:37, Willy Tarreau wrote:
Have a lot of fun and please report your success/failures,
Willy
Small issue when compiling on CentOS 5.8 64bit against RPM versions of
openssl-devel and e2fsprogs-devel-1.39-34.el5_8.1 I get the following:
make TARGET=linux2628 USE_OPENSSL=1
gcc
Great!
Thanks Willy,
De: Willy Tarreau w...@1wt.eu
Para: haproxy@formilux.org
Enviado: Martes 4 de septiembre de 2012 1:37
Asunto: HAProxy with native SSL support !
Hi all,
today is a great day (could say night considering the time I'm posting) !
After
All,
A small howto to play with it can be found here:
http://blog.exceliance.fr/2012/09/04/howto-ssl-native-in-haproxy/
cheers
On Tue, Sep 04, 2012 at 05:56:14PM +1000, Duncan Hall wrote:
On 04/09/12 09:37, Willy Tarreau wrote:
Have a lot of fun and please report your success/failures,
Willy
Small issue when compiling on CentOS 5.8 64bit against RPM versions of
openssl-devel and
Congratulations Willy and Team...
On Tue, Sep 4, 2012 at 3:59 PM, Willy Tarreau w...@1wt.eu wrote:
On Tue, Sep 04, 2012 at 05:56:14PM +1000, Duncan Hall wrote:
On 04/09/12 09:37, Willy Tarreau wrote:
Have a lot of fun and please report your success/failures,
Willy
Small issue
Hi, Willy
Thanks for this long time expected feature !
Have a lot of fun and please report your success/failures,
There is an include issue in this snapshot on FreeBSD (witch is not I
think ssl related) :
gmake TARGET=freebsd USE_OPENSSL=1
gcc -Iinclude -Iebtree -Wall -O2 -g
Hi Joris,
On Tue, Sep 04, 2012 at 01:45:29PM +0200, joris dedieu wrote:
Hi, Willy
Thanks for this long time expected feature !
Have a lot of fun and please report your success/failures,
There is an include issue in this snapshot on FreeBSD (witch is not I
think ssl related) :
(...)
Willy, this is huge! Great, great work!
A few comments/questions:
- are you running latest and greatest openssl on demo.1wt.eu? I am asking
because Secure Renegotiation doesn't seem to be supported [1]. Older (1.0.0?)
releases seem to have a higher memory overhead as well, iirc.
- I see you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On 04/Sep - 01:37, Willy Tarreau w...@1wt.eu wrote:
| Have a lot of fun and please report your success/failures,
| Willy
Thanks a lot for this useful feature. It works well on a dual PPC64 Linux
server.
I wrote a small path to add the
Emeric reported that the build fails without USE_OPENSSL, which is caused
by a last-minute change I did yesterday evening. It shows up as ssl_cert
not being part of a structure.
If you get this, please use the attached patch.
Regards,
Willy
From ff9f7698fcefef66bceb1ec32a3da8b14947a594 Mon Sep
Hi Lukas,
On Tue, Sep 04, 2012 at 03:05:14PM +0200, Lukas Tribus wrote:
Willy, this is huge! Great, great work!
A few comments/questions:
- are you running latest and greatest openssl on demo.1wt.eu? I am asking
because Secure Renegotiation doesn't seem to be supported [1]. Older
Hi David,
On Tue, Sep 04, 2012 at 03:15:13PM +0200, David BERARD wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On 04/Sep - 01:37, Willy Tarreau w...@1wt.eu wrote:
| Have a lot of fun and please report your success/failures,
| Willy
Thanks a lot for this useful feature. It
...@1wt.eu
To: luky...@hotmail.com
CC: haproxy@formilux.org
Subject: Re: HAProxy with native SSL support !
Hi Lukas,
On Tue, Sep 04, 2012 at 03:05:14PM +0200, Lukas Tribus wrote:
Willy, this is huge! Great, great work!
A few comments/questions:
- are you running latest and greatest openssl
On Tue, Sep 04, 2012 at 04:12:43PM +0200, Lukas Tribus wrote:
However if we see a much higher performance level by using the native API,
we'd probably write a 3rd data layer dedicated to yassl, and would probably
rename the current SSL data layer so that we can choose the one we want at
Great ! Thanks to the team ! :-)
2012/9/4 Willy Tarreau w...@1wt.eu
On Tue, Sep 04, 2012 at 04:12:43PM +0200, Lukas Tribus wrote:
However if we see a much higher performance level by using the native
API,
we'd probably write a 3rd data layer dedicated to yassl, and would
probably
On Tuesday, September 04, 2012 08:41:44 AM Willy Tarreau wrote:
On Mon, Sep 03, 2012 at 11:21:51PM -0700, Justin Karneges wrote:
On Tuesday, September 04, 2012 01:37:17 AM Willy Tarreau wrote:
After several months of efforts by the Exceliance team, we managed to
rework all the buffer and
Hi,
In fact when I say yassl, I really mean CyaSSL.
Ok, great.
A few more comments about (C)yassl:
- development of new features is obviously not as fast as in OpenSSL. For
example TLS SNI is not supported yet (ETA: next release) [1]. This feature
was introduced in 2007 (0.9.8f)
Great day indeed, can't wait to do some tests.
Thanks
On 3 September 2012 20:37, Willy Tarreau w...@1wt.eu wrote:
Hi all,
today is a great day (could say night considering the time I'm posting) !
After several months of efforts by the Exceliance team, we managed to
rework all the buffer
Awesome news ! I have been waiting for this for a while. :)
On Sep 3, 2012, at 4:37 PM, Willy Tarreau wrote:
Hi all,
today is a great day (could say night considering the time I'm posting) !
After several months of efforts by the Exceliance team, we managed to
rework all the buffer and
33 matches
Mail list logo
