mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-02-20 12:46:56 +00:00
haproxy public development tree
30592168e5
This patch changes the default certificate mechanism. Since the beginning of SSL in HAProxy, the default certificate was the first certificate of a bind line. This allowed to fallback on this certificate when no servername extension was sent by the server, or when no SAN nor CN was available in the certificate. When using a multi-certificate bundle (ecdsa+rsa), it was possible to have both certificates as the fallback one, leting openssl chose the right one. This was possible because a multi-certificate bundle was generating a unique SSL_CTX for both certificates. When the haproxy and openssl architecture evolved, we decided to use multiple SSL_CTX for a multi-cert bundle, in order to simplify the code and allow updates over the CLI. However only one default_ctx was allowed, so we lost the ability to chose between ECDSA and RSA for the default certificate. This patch allows to use a '*' filter for a certificate, which allow to lookup between multiple '*' filter, and have one in RSA and another one in ECDSA. It replaces the default_ctx mechanism in the ClientHello callback and use the standard algorithm to look for a default cert and chose between ECDSA and RSA. /!\ This patch breaks the automatic setting of the default certificate, which will be introduce in the next patch. So the first certificate of a bind line won't be used as a defaullt anymore. To use this feature, one could use crt-list with '*' filters: $ cat foo.crtlist foobar.pem.rsa * foobar.pem.ecdsa * In order to test the feature, it's easy to send a request without the servername extension and use ECDSA or RSA compatible ciphers: $ openssl s_client -connect localhost:8443 -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384 $ openssl s_client -connect localhost:8443 -tls1_2 -cipher ECDHE-ECDSA-AES256-GCM-SHA384 |
||
|---|---|---|
| .github | ||
| addons | ||
| admin | ||
| dev | ||
| doc | ||
| examples | ||
| include | ||
| reg-tests | ||
| scripts | ||
| src | ||
| tests | ||
| .cirrus.yml | ||
| .gitattributes | ||
| .gitignore | ||
| .mailmap | ||
| .travis.yml | ||
| BRANCHES | ||
| BSDmakefile | ||
| CHANGELOG | ||
| CONTRIBUTING | ||
| INSTALL | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| README | ||
| SUBVERS | ||
| VERDATE | ||
| VERSION | ||
The HAProxy documentation has been split into a number of different files for ease of use. Please refer to the following files depending on what you're looking for : - INSTALL for instructions on how to build and install HAProxy - BRANCHES to understand the project's life cycle and what version to use - LICENSE for the project's license - CONTRIBUTING for the process to follow to submit contributions The more detailed documentation is located into the doc/ directory : - doc/intro.txt for a quick introduction on HAProxy - doc/configuration.txt for the configuration's reference manual - doc/lua.txt for the Lua's reference manual - doc/SPOE.txt for how to use the SPOE engine - doc/network-namespaces.txt for how to use network namespaces under Linux - doc/management.txt for the management guide - doc/regression-testing.txt for how to use the regression testing suite - doc/peers.txt for the peers protocol reference - doc/coding-style.txt for how to adopt HAProxy's coding style - doc/internals for developer-specific documentation (not all up to date)