HAProxy Elliptic Curve Certificates



  • Dear All,

    Using letsencrypt, it is now quite simple to get a trusted certifcate with an Elliptic Curve Cryptography (ECC) key. What I did not manage so far, however, is to use such certificate in HAProxy.

    My scenario is SSL Offloading and Shared Frontends with separate certificates. I think this is called SNI, nevertheless, I did not check the boxes on "Add ACL for certificate CommonName." and "Add ACL for certificate Subject Alternative Names.". I use Advanced SSL Options "no-sslv3 no-tls-tickets ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA".

    My first attempt was to generate an ECC certificate for a less relevant domain to experiment with. This is in a Shared Frontend and all other certificates elsewhere are classic RSA certificates. That did not work, as the browser (and https://www.ssllabs.com/ssltest/) would not pick the ECC certificate in the same way it did pick the RSA certificate used regularly.

    Unfortunately, I do not quite understand the causes of issues with ECC certificates and which options might exist to do better.

    Can someone please point me to the right direction?

    Regards,

    Michael



  • Dear All,

    I did try again and with advanced ssl options "no-sslv3 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" things do work.

    In general, to further improve https quality, a more modern openssl seems to be required - let's hope for 2.4.

    Regards,

    Michael



  • Hi Michael,

    I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described:

    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA

    my .pem file has privatekey + cert +certCA, still haproxy fails:

    parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem'

    I'm runnig a v1.5 haproxy, what was the version you used?

    thanks,

    Ricardo