Re: Automatic Certificate Switching Idea

2017-05-15 Thread Daniel Schneller
> > That's perfect! Your feedback and possible trouble in doing this will > also definitely help! > Oh, if experience tells me one thing, no matter how “straightforward” this may look, there _will_ be trouble ;-) Cheers Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice

Re: Automatic Certificate Switching Idea

2017-05-12 Thread Willy Tarreau
On Fri, May 12, 2017 at 06:42:20PM +0200, Daniel Schneller wrote: > > That said, given that we can already look up a cert based on a name, > > maybe in fact we could load all of them and just try to find a more > > recent one if the first one reported by the SNI is outdated. I don't > > know if

Re: Automatic Certificate Switching Idea

2017-05-12 Thread Daniel Schneller
Willy, thanks for your elaborate reply! See my remarks below. > possible impacts nor complexity (but I don't want to have the complete MS > Office suite merged in, just Word, Excel and PowerPoint :-)). :-D > - renewed certs can and will sometimes provide extra alt names, so >they are not

Re: Automatic Certificate Switching Idea

2017-05-12 Thread Willy Tarreau
Hi, On Tue, May 09, 2017 at 07:04:01PM +0200, Daniel Schneller wrote: > Hi! > > > On 9. May. 2017, at 00:30, Lukas Tribus wrote: > > > > [...] > > I'm opposed to heavy feature-bloating for provisioning use-cases, that > > can quite easily fixed where the fix belongs - the

Re: Automatic Certificate Switching Idea

2017-05-09 Thread Daniel Schneller
Hi! > On 9. May. 2017, at 00:30, Lukas Tribus wrote: > > [...] > I'm opposed to heavy feature-bloating for provisioning use-cases, that > can quite easily fixed where the fix belongs - the provisioning layer. You are right, that this can be handled outside / in the provisioning

Re: Automatic Certificate Switching Idea

2017-05-08 Thread Lukas Tribus
Hello, Am 30.04.2017 um 22:16 schrieb Daniel Schneller: > Hi! > > Yes, you got it right. I have no idea if there are technical limitations in > the SSL library or other parts of the code that would make several > certificate/key pairs for the same domain infeasible. > > If there were hard

Re: Automatic Certificate Switching Idea

2017-04-30 Thread Daniel Schneller
Hi! Yes, you got it right. I have no idea if there are technical limitations in the SSL library or other parts of the code that would make several certificate/key pairs for the same domain infeasible. If there were hard restrictions, it could certainly be done "externally" with a set of

Re: Automatic Certificate Switching Idea

2017-04-30 Thread Aleksandar Lazic
HI. Am 28-04-2017 09:26, schrieb Daniel Schneller: Hello! I am managing a few haproxy instances that each manage a good number of domains and do the TLS termination on behalf of what you might call "hosted" sites. Most of the clients connecting to these haproxys implement certificate

Automatic Certificate Switching Idea

2017-04-28 Thread Daniel Schneller
Hello! I am managing a few haproxy instances that each manage a good number of domains and do the TLS termination on behalf of what you might call “hosted” sites. Most of the clients connecting to these haproxys implement certificate pinning and verify that the certificate presented by the