git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Nenad Merdanovic <nmerdan@anine.io>
	Tue, 7 Jul 2015 20:00:17 +0000 (22:00 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Thu, 9 Jul 2015 07:26:59 +0000 (09:26 +0200)
commit	5fc7d7e8ce3f10fe29253b298507bbce8e3953d2
tree	a48677e271cb166f299a259cdf960b52059303b6	tree
parent	fc017fec487382aab2f5016a3523f49cebaa751a	commit \| diff

MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

Clients that support ECC cipher suites SHOULD send the specified extension
within the SSL ClientHello message according to RFC4492, section 5.1. We
can use this extension to chain-proxy requests so that, on the same IP
address, a ECC compatible clients gets an EC certificate and a non-ECC
compatible client gets a regular RSA certificate. The main advantage of this
approach compared to the one presented by Dave Zhu on the mailing list
is that we can make it work with OpenSSL versions before 1.0.2.

Example:
frontend ssl-relay
        mode tcp
        bind 0.0.0.0:443
        use_backend ssl-ecc if { req.ssl_ec_ext 1 }
        default_backend ssl-rsa

backend ssl-ecc
        mode tcp
        server ecc unix@/var/run/haproxy_ssl_ecc.sock send-proxy-v2 check

backend ssl-rsa
        mode tcp
        server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 check

listen  all-ssl
        bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /usr/local/haproxy/ecc.foo.com.pem user nobody
        bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt /usr/local/haproxy/www.foo.com.pem user nobody

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>

doc/configuration.txt		diff \| blob \| blame \| history
src/payload.c		diff \| blob \| blame \| history