Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy ECDSA Certificates

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 592 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelschefczyk
      last edited by

      Dear All,

      I am always glad that PiBa and others provide HAProxy! Having upgraded to pfSense 2.5.0 I did deploy TLS 1.2 and 1.3 in parallel for SSL offloading to service my websites.

      In a nutshell, my settings are

      • SSL/TLS Compatibility Mode: Auto
      • Advanced ssl options: no-tls-tickets ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256

      ACME is set up to generate both RSA and ECDSA certificates. I thought that it might be a good idea to put the ECDSA certificates (in parallel with RSA), as that should reduce the overhead for the modern TLS 1.3 variants, correct?

      Unfortunately, I was not able to achieve this. Whenever I supply both the RSA and the ECDSA certificates under "Additional certificates", I always get TLS 1.3 only and no TLS 1.2, which I would like to prefer for compatibility.

      Can someone please advise if this can be achieved?

      Regards,

      Michael Schefczyk

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @michaelschefczyk
        last edited by

        @michaelschefczyk
        Hi Michael,
        I think you should look a little at that cipher list, or perhaps not configure it and go for the SSL/TLS Compatibility Mode: 'intermediate' ?
        That should help to get TLS1.2 back available. (at least in my ssllabs-server-test)

        And yes having a ECDSA cert should help to lower the overhead a bit from what ive read, having rather low traffic numbers myself ive never bothered to investigate the exact details there..
        Regards PiBa-NL

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.