On Mon, Nov 30, 2015 at 3:32 PM, Olivier Doucet <webmas...@ajeux.com> wrote:
> Hello, > > I'm digging out this thread, because having multiple certificate for one > single domain (SNI) but with different key types (RSA/ECDSA) can really be > a great functionality. Is there some progress ? How can we help ? > I'd love to see better support for multiple certificate key types for the same SNI too. That said, it is possible to serve both EC and RSA keyed certificates using haproxy 1.6 now. See http://blog.haproxy.com/2015/07/15/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ for details. It's not exactly pretty but it does seem to work. > > A subsidiary question is : how much ECDSA certificates are supported ? So > if I use a single ECDSA certificate, how many people wont be able to see my > content ? > > > They're pretty well supported by modern clients. Exactly what that means is a bit fuzzy though: see https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_and_ECDHE_support for additional details. If your clients are all "modern" browsers and mobile devices, you're probably good. If there are old clients, or other systems calling an API there can be issues especially if they are using Java <= 7. I've also discovered that Amazon CloudFront doesn't support EC certificates at all. Can't use them in CloudFront distributions and CloudFront won't connect to an Origin that uses them. -Bryan
