Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy Elliptic Curve Certificates

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelschefczyk
      last edited by

      Dear All,

      Using letsencrypt, it is now quite simple to get a trusted certifcate with an Elliptic Curve Cryptography (ECC) key. What I did not manage so far, however, is to use such certificate in HAProxy.

      My scenario is SSL Offloading and Shared Frontends with separate certificates. I think this is called SNI, nevertheless, I did not check the boxes on "Add ACL for certificate CommonName." and "Add ACL for certificate Subject Alternative Names.". I use Advanced SSL Options "no-sslv3 no-tls-tickets ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA".

      My first attempt was to generate an ECC certificate for a less relevant domain to experiment with. This is in a Shared Frontend and all other certificates elsewhere are classic RSA certificates. That did not work, as the browser (and https://www.ssllabs.com/ssltest/) would not pick the ECC certificate in the same way it did pick the RSA certificate used regularly.

      Unfortunately, I do not quite understand the causes of issues with ECC certificates and which options might exist to do better.

      Can someone please point me to the right direction?

      Regards,

      Michael

      1 Reply Last reply Reply Quote 0
      • M
        michaelschefczyk
        last edited by

        Dear All,

        I did try again and with advanced ssl options "no-sslv3 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" things do work.

        In general, to further improve https quality, a more modern openssl seems to be required - let's hope for 2.4.

        Regards,

        Michael

        1 Reply Last reply Reply Quote 0
        • R
          resanto
          last edited by

          Hi Michael,

          I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described:

          ssl-default-bind-options no-sslv3 no-tls-tickets
          ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA

          my .pem file has privatekey + cert +certCA, still haproxy fails:

          parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem'

          I'm runnig a v1.5 haproxy, what was the version you used?

          thanks,

          Ricardo

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.