Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAProxy ECDSA Certificates

    Cache/Proxy
    2
    2
    25
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelschefczyk last edited by

      Dear All,

      I am always glad that PiBa and others provide HAProxy! Having upgraded to pfSense 2.5.0 I did deploy TLS 1.2 and 1.3 in parallel for SSL offloading to service my websites.

      In a nutshell, my settings are

      • SSL/TLS Compatibility Mode: Auto
      • Advanced ssl options: no-tls-tickets ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256

      ACME is set up to generate both RSA and ECDSA certificates. I thought that it might be a good idea to put the ECDSA certificates (in parallel with RSA), as that should reduce the overhead for the modern TLS 1.3 variants, correct?

      Unfortunately, I was not able to achieve this. Whenever I supply both the RSA and the ECDSA certificates under "Additional certificates", I always get TLS 1.3 only and no TLS 1.2, which I would like to prefer for compatibility.

      Can someone please advise if this can be achieved?

      Regards,

      Michael Schefczyk

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @michaelschefczyk last edited by

        @michaelschefczyk
        Hi Michael,
        I think you should look a little at that cipher list, or perhaps not configure it and go for the SSL/TLS Compatibility Mode: 'intermediate' ?
        That should help to get TLS1.2 back available. (at least in my ssllabs-server-test)

        And yes having a ECDSA cert should help to lower the overhead a bit from what ive read, having rather low traffic numbers myself ive never bothered to investigate the exact details there..
        Regards PiBa-NL

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy