Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAProxy Elliptic Curve Certificates

    Cache/Proxy
    2
    3
    1113
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelschefczyk last edited by

      Dear All,

      Using letsencrypt, it is now quite simple to get a trusted certifcate with an Elliptic Curve Cryptography (ECC) key. What I did not manage so far, however, is to use such certificate in HAProxy.

      My scenario is SSL Offloading and Shared Frontends with separate certificates. I think this is called SNI, nevertheless, I did not check the boxes on "Add ACL for certificate CommonName." and "Add ACL for certificate Subject Alternative Names.". I use Advanced SSL Options "no-sslv3 no-tls-tickets ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA".

      My first attempt was to generate an ECC certificate for a less relevant domain to experiment with. This is in a Shared Frontend and all other certificates elsewhere are classic RSA certificates. That did not work, as the browser (and https://www.ssllabs.com/ssltest/) would not pick the ECC certificate in the same way it did pick the RSA certificate used regularly.

      Unfortunately, I do not quite understand the causes of issues with ECC certificates and which options might exist to do better.

      Can someone please point me to the right direction?

      Regards,

      Michael

      1 Reply Last reply Reply Quote 0
      • M
        michaelschefczyk last edited by

        Dear All,

        I did try again and with advanced ssl options "no-sslv3 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA" things do work.

        In general, to further improve https quality, a more modern openssl seems to be required - let's hope for 2.4.

        Regards,

        Michael

        1 Reply Last reply Reply Quote 0
        • R
          resanto last edited by

          Hi Michael,

          I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described:

          ssl-default-bind-options no-sslv3 no-tls-tickets
          ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA

          my .pem file has privatekey + cert +certCA, still haproxy fails:

          parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem'

          I'm runnig a v1.5 haproxy, what was the version you used?

          thanks,

          Ricardo

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy