HAProxy Elliptic Curve Certificates
-
Dear All,
Using letsencrypt, it is now quite simple to get a trusted certifcate with an Elliptic Curve Cryptography (ECC) key. What I did not manage so far, however, is to use such certificate in HAProxy.
My scenario is SSL Offloading and Shared Frontends with separate certificates. I think this is called SNI, nevertheless, I did not check the boxes on "Add ACL for certificate CommonName." and "Add ACL for certificate Subject Alternative Names.". I use Advanced SSL Options "no-sslv3 no-tls-tickets ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA".
My first attempt was to generate an ECC certificate for a less relevant domain to experiment with. This is in a Shared Frontend and all other certificates elsewhere are classic RSA certificates. That did not work, as the browser (and https://www.ssllabs.com/ssltest/) would not pick the ECC certificate in the same way it did pick the RSA certificate used regularly.
Unfortunately, I do not quite understand the causes of issues with ECC certificates and which options might exist to do better.
Can someone please point me to the right direction?
Regards,
Michael
-
Dear All,
I did try again and with advanced ssl options "no-sslv3 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" things do work.
In general, to further improve https quality, a more modern openssl seems to be required - let's hope for 2.4.
Regards,
Michael
-
Hi Michael,
I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described:
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHAmy .pem file has privatekey + cert +certCA, still haproxy fails:
parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem'
I'm runnig a v1.5 haproxy, what was the version you used?
thanks,
Ricardo