4. HAProxy Elliptic Curve Certificates

HAProxy Elliptic Curve Certificates

  • M

    Dear All,

    Using letsencrypt, it is now quite simple to get a trusted certifcate with an Elliptic Curve Cryptography (ECC) key. What I did not manage so far, however, is to use such certificate in HAProxy.

    My scenario is SSL Offloading and Shared Frontends with separate certificates. I think this is called SNI, nevertheless, I did not check the boxes on "Add ACL for certificate CommonName." and "Add ACL for certificate Subject Alternative Names.". I use Advanced SSL Options "no-sslv3 no-tls-tickets ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA".

    My first attempt was to generate an ECC certificate for a less relevant domain to experiment with. This is in a Shared Frontend and all other certificates elsewhere are classic RSA certificates. That did not work, as the browser (and https://www.ssllabs.com/ssltest/) would not pick the ECC certificate in the same way it did pick the RSA certificate used regularly.

    Unfortunately, I do not quite understand the causes of issues with ECC certificates and which options might exist to do better.

    Can someone please point me to the right direction?

    Regards,

    Michael

    0
  • M

    Dear All,

    I did try again and with advanced ssl options "no-sslv3 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" things do work.

    In general, to further improve https quality, a more modern openssl seems to be required - let's hope for 2.4.

    Regards,

    Michael

    0
  • R

    Hi Michael,

    I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described:

    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA

    my .pem file has privatekey + cert +certCA, still haproxy fails:

    parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem'

    I'm runnig a v1.5 haproxy, what was the version you used?

    thanks,

    Ricardo

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy