Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 31af49d62bb398f43d0e955ebf9a7157c38e2d56
commit31af49d62bb398f43d0e955ebf9a7157c38e2d56[log] [tgz]
authorChristopher Faulet <cfaulet@qualys.com>Tue Jun 09 17:29:50 2015 +0200
committerWilly Tarreau <w@1wt.eu>Fri Jun 12 18:06:59 2015 +0200
treecb25a102996b93450fa5254ae65f47a8672e1a4c
parent92939d20facb6fef1da94bcb21f043f1d5e09eca [diff]
MEDIUM: ssl: Add options to forge SSL certificates

With this patch, it is possible to configure HAProxy to forge the SSL
certificate sent to a client using the SNI servername. We do it in the SNI
callback.

To enable this feature, you must pass following BIND options:

 * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and
   the CA private key to create and sign server's certificates.

 * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if
   any.

 * generate-certificates: Enable the dynamic generation of certificates for a
   listener.

Because generating certificates is expensive, there is a LRU cache to store
them. Its size can be customized by setting the global parameter
'tune.ssl.ssl-ctx-cache-size'.
8 files changed
tree: cb25a102996b93450fa5254ae65f47a8672e1a4c
  1. contrib/
  2. doc/
  3. ebtree/
  4. examples/
  5. include/
  6. src/
  7. tests/
  8. .gitignore
  9. CHANGELOG
  10. LICENSE
  11. Makefile
  12. README
  13. ROADMAP
  14. SUBVERS
  15. VERDATE
  16. VERSION