Hello, I resume this mail from Olivier because I think I meet the same problem. Like him, I need to use specific DH parameters. For this, I simply use the ability to add these DH parameters in the certificate file. These DH parameters are well taken into account if I specify the exact path of the certificate, for example: bind: 443 ssl crt certificate.pem.rsa
Then, I try to use the functionality described in the manual (https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt) which allows to create a certificate bundle if we don't specify the explicit suffix in the configuration: bind: 443 ssl crt certificate.pem In this case, the certificate is well used (certificate.pem.rsa, same file) but not its part containing the specific DH parameters. Indeed, if I do an SSL connection test (with testssl.sh for example), I observe that HAProxy uses its default DH parameters instead of using those of the file. Of course, the goal is to be able to offer ECDSA certificates, but before going to this step, I would have to use specific DH parameters. Regards, Arnaud. ----- Mail original ----- > De: "Olivier Doucet" <webmas...@ajeux.com> > À: "HAProxy" <haproxy@formilux.org> > Envoyé: Vendredi 23 Mars 2018 15:58:27 > Objet: HAProxy multiple key type support - bug/feature (?) with DH parameters > Hello, > a few months ago I started using multiple key type support in HAProxy. It > means I have this in haproxy.cfg : > bind :443 ssl crt example.pem > > And these files: > example.pem.rsa > example.pem.rsa.ocsp > example.pem.rsa.issuer > example.pem.ecdsa > example.pem.ecdsa.ocsp > example.pem.ecdsa.issuer > (see https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt) > > It is working very well :) > > I now need to handle specific DH parameters for a customer. Before, I used > to add a DH block in pem file and it was working ... But here, the block is > simply ignored, despite what is said in config : > https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.2-tune.ssl.default-dh-param > "This value is not used if static Diffie-Hellman parameters are supplied > either directly in the certificate file or by using the ssl-dh-param-file > parameter" > > I can confirm this behaviour happens only when certificate are loaded with > .rsa / .ecdsa extension : it is working if I rename example.pem.rsa to > example.pem > > I tried to create a file example.pem.rsa.dh or example.pem.rsa.dhparam with > no luck (just tried those file names randomly :p). > > Olivier -- Université de Montpellier Direction du Système d'Information et du Numérique Service des Moyens Informatiques Bureau réseaux, sécurité et téléphonie IP
