mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

DOC: crt: advise to move away from cert bundle

Browse Source 
especially when starting to use `new ssl cert` runtime API, it might
become a bit confusing for users to mix bundle and single cert,
especially when it comes to use the commit command:
e.g.:
- start the process with `crt` loading a bundle
- use `set ssl cert my_cert.pem.ecdsa`: API detects it as a replacement
  of a bundle.
- `commit` has to be done on the bundle: `commit ssl cert my_cert.pem`

however:
- add a new cert: `new ssl cert my_cert.pem.rsa`: added as a single
  certificate
- `commit` has to be done on the certificate: `commit ssl cert
  my_cert.pem.rsa`

this should resolve github issue #872

this should probably be backported in >= v2.2 in order to encourage
people to move away from bundle certificates loading.

Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This commit is contained in:
William Dauchy 2020-09-26 13:35:52 +02:00 committed by Willy Tarreau
parent f8e795ca04
commit 25407965fd
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/configuration.txt
View File

@ -12560,10 +12560,15 @@ crt <cert>
connecting with "ecdsa.example.com" will only be able to use ECDSA cipher connecting with "ecdsa.example.com" will only be able to use ECDSA cipher
suites. With BoringSSL and Openssl >= 1.1.1 multi-cert is natively supported, suites. With BoringSSL and Openssl >= 1.1.1 multi-cert is natively supported,
no need to bundle certificates. ECDSA certificate will be preferred if client no need to bundle certificates. ECDSA certificate will be preferred if client
support it. supports it.
If a directory name is given as the <cert> argument, haproxy will If a directory name is given as the <cert> argument, haproxy will
automatically search and load bundled files in that directory. automatically search and load bundled files in that directory.
It is however recommended to move away from bundle loading, especially if you
want to use the runtime API to load new certificate which does not support
bundle. A recommended way to migrate is to set `ssl-load-extra-file`
parameter to `none` in global config so that each certificate is loaded as a
single one.
OSCP files (.ocsp) and issuer files (.issuer) are supported with multi-cert OSCP files (.ocsp) and issuer files (.issuer) are supported with multi-cert
bundling. Each certificate can have its own .ocsp and .issuer file. At this bundling. Each certificate can have its own .ocsp and .issuer file. At this

4
doc/management.txt
View File

@ -1725,6 +1725,10 @@ new ssl cert <filename>
Create a new empty SSL certificate store to be filled with a certificate and Create a new empty SSL certificate store to be filled with a certificate and
added to a directory or a crt-list. This command should be used in added to a directory or a crt-list. This command should be used in
combination with "set ssl cert" and "add ssl crt-list". combination with "set ssl cert" and "add ssl crt-list".
Note that bundle certificates are not supported; it is recommended to use
`ssl-load-extra-file none` in global config to avoid loading certificates as
bundle and then mixing with single certificates in the runtime API. This will
avoid confusion, especailly when it comes to the `commit` command.
prompt prompt
Toggle the prompt at the beginning of the line and enter or leave interactive Toggle the prompt at the beginning of the line and enter or leave interactive