Hello all, I¹ve written up Willy and Emeric¹s proposal and it seems to test fine, at least from a functionality standpoint.
I would appreciate it if interested parties would beat on this harder than I did to work out kinks. To recap for those that are new: You can now specify <path_to_cert> as a crt or a crt-list entry, but <path_to_cert> will not actually exist. Instead, there will be <path_to_cert>.rsa, <path_to_cert>.ecdsa and/or <path_to_cert>.dsa. The code will load what¹s available and create (up to) 7 unique SSL_CTX with the correct sets of keys and certs. It then adds these to the SNI lookup tree, and sets a default context if one has not been set. A couple of things to note: 1) The default context will be set to the SSL_CTX that contains the set of most oftenly used key formats. So currently, it will prefer contexts that contain RSA, ECDSA then DSA in that order. SSL_CTX¹s with more key types will be preferred over SSL_CTX¹s with fewer key types. 2) The code for processing the CN/SAN¹s is quite complex. I¹ve added as many comments as I thought was needed, but it still is not simple to read. The logic though is simple: - Load info of each crt entry. - Iterate through all CN/SAN entries and map each entry to which key types contain it - Iterate through list of entries to create the requisite SSL_CTX¹s and add the SSL_CTX to the sni_tree based on the current CN/SAN Time to process is O(N) where N=# of CN/SANs. In the interest of not clogging up everyone¹s inboxes, I¹ve put the patches on pastebin, let me know if that works. Patch 1 - http://pastebin.com/B9KXnEZN Patch 2 - http://pastebin.com/qFXq2Pbe Patch 3 - http://pastebin.com/F9Y1N2YN Please take a look. -Dave On 12/1/15, 10:09 AM, "Willy Tarreau" <w...@1wt.eu> wrote: >Hi Dave, > >On Tue, Dec 01, 2015 at 03:04:21PM +0000, Dave Zhu (yanbzhu) wrote: >> I apologize for not responding sooner, I was waiting for more comments >>before >> starting implementation, then this fell off my radar when other >> responsibilities picked up. > >No problem, we're all in the same situation, don't worry! > >> I???ve got some downtime and can start working on Willy???s proposal, >>if that >> will meet the requirements of the people here. > >That would be awesome! That said, don't put yourself under pressure, >yes it's something that people would love to have but don't stop all >your activities for this. I tend to think that there are people >volunteering for testing here given the demand, so do not hesitate >to post preview patches as you did initially. > >Cheers, >willy >
