Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 5fc7d7e8ce3f10fe29253b298507bbce8e3953d2
commit5fc7d7e8ce3f10fe29253b298507bbce8e3953d2[log] [tgz]
authorNenad Merdanovic <nmerdan@anine.io>Tue Jul 07 22:00:17 2015 +0200
committerWilly Tarreau <w@1wt.eu>Thu Jul 09 09:26:59 2015 +0200
treea48677e271cb166f299a259cdf960b52059303b6
parentfc017fec487382aab2f5016a3523f49cebaa751a [diff]
MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

Clients that support ECC cipher suites SHOULD send the specified extension
within the SSL ClientHello message according to RFC4492, section 5.1. We
can use this extension to chain-proxy requests so that, on the same IP
address, a ECC compatible clients gets an EC certificate and a non-ECC
compatible client gets a regular RSA certificate. The main advantage of this
approach compared to the one presented by Dave Zhu on the mailing list
is that we can make it work with OpenSSL versions before 1.0.2.

Example:
frontend ssl-relay
        mode tcp
        bind 0.0.0.0:443
        use_backend ssl-ecc if { req.ssl_ec_ext 1 }
        default_backend ssl-rsa

backend ssl-ecc
        mode tcp
        server ecc unix@/var/run/haproxy_ssl_ecc.sock send-proxy-v2 check

backend ssl-rsa
        mode tcp
        server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 check

listen  all-ssl
        bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /usr/local/haproxy/ecc.foo.com.pem user nobody
        bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt /usr/local/haproxy/www.foo.com.pem user nobody

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2 files changed
tree: a48677e271cb166f299a259cdf960b52059303b6
  1. contrib/
  2. doc/
  3. ebtree/
  4. examples/
  5. include/
  6. src/
  7. tests/
  8. .gitignore
  9. CHANGELOG
  10. LICENSE
  11. Makefile
  12. README
  13. ROADMAP
  14. SUBVERS
  15. VERDATE
  16. VERSION