HAProxy ECDSA Certificates
I am always glad that PiBa and others provide HAProxy! Having upgraded to pfSense 2.5.0 I did deploy TLS 1.2 and 1.3 in parallel for SSL offloading to service my websites.
In a nutshell, my settings are
- SSL/TLS Compatibility Mode: Auto
- Advanced ssl options: no-tls-tickets ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
ACME is set up to generate both RSA and ECDSA certificates. I thought that it might be a good idea to put the ECDSA certificates (in parallel with RSA), as that should reduce the overhead for the modern TLS 1.3 variants, correct?
Unfortunately, I was not able to achieve this. Whenever I supply both the RSA and the ECDSA certificates under "Additional certificates", I always get TLS 1.3 only and no TLS 1.2, which I would like to prefer for compatibility.
Can someone please advise if this can be achieved?
I think you should look a little at that cipher list, or perhaps not configure it and go for the SSL/TLS Compatibility Mode: 'intermediate' ?
That should help to get TLS1.2 back available. (at least in my ssllabs-server-test)
And yes having a ECDSA cert should help to lower the overhead a bit from what ive read, having rather low traffic numbers myself ive never bothered to investigate the exact details there..