MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.

commit: 31af49d62bb398f43d0e955ebf9a7157c38e2d56 [log] [tgz]
author: Christopher Faulet <cfaulet@qualys.com> Tue Jun 09 17:29:50 2015 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Jun 12 18:06:59 2015 +0200
tree: cb25a102996b93450fa5254ae65f47a8672e1a4c
parent: 92939d20facb6fef1da94bcb21f043f1d5e09eca [diff]
diff --git a/include/common/defaults.h b/include/common/defaults.h
index 6193bdc..0296201 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h

@@ -257,6 +257,10 @@
 #define SSL_HANDSHAKE_MAX_COST (76*1024)  // measured
 #endif
 
+#ifndef DEFAULT_SSL_CTX_CACHE
+#define DEFAULT_SSL_CTX_CACHE 1000
+#endif
+
 /* approximate stream size (for maxconn estimate) */
 #ifndef STREAM_MAX_COST
 #define STREAM_MAX_COST (sizeof(struct stream) + \
commit	31af49d62bb398f43d0e955ebf9a7157c38e2d56	[log] [tgz]
author	Christopher Faulet <cfaulet@qualys.com>	Tue Jun 09 17:29:50 2015 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Jun 12 18:06:59 2015 +0200
tree	cb25a102996b93450fa5254ae65f47a8672e1a4c
parent	92939d20facb6fef1da94bcb21f043f1d5e09eca [diff]