• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy ECDSA Certificates

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 2 Posters 647 Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    michaelschefczyk
    last edited by Feb 20, 2021, 4:40 PM

    Dear All,

    I am always glad that PiBa and others provide HAProxy! Having upgraded to pfSense 2.5.0 I did deploy TLS 1.2 and 1.3 in parallel for SSL offloading to service my websites.

    In a nutshell, my settings are

    • SSL/TLS Compatibility Mode: Auto
    • Advanced ssl options: no-tls-tickets ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256

    ACME is set up to generate both RSA and ECDSA certificates. I thought that it might be a good idea to put the ECDSA certificates (in parallel with RSA), as that should reduce the overhead for the modern TLS 1.3 variants, correct?

    Unfortunately, I was not able to achieve this. Whenever I supply both the RSA and the ECDSA certificates under "Additional certificates", I always get TLS 1.3 only and no TLS 1.2, which I would like to prefer for compatibility.

    Can someone please advise if this can be achieved?

    Regards,

    Michael Schefczyk

    P 1 Reply Last reply Feb 20, 2021, 8:18 PM Reply Quote 0
    • P Offline
      PiBa @michaelschefczyk
      last edited by Feb 20, 2021, 8:18 PM

      @michaelschefczyk
      Hi Michael,
      I think you should look a little at that cipher list, or perhaps not configure it and go for the SSL/TLS Compatibility Mode: 'intermediate' ?
      That should help to get TLS1.2 back available. (at least in my ssllabs-server-test)

      And yes having a ECDSA cert should help to lower the overhead a bit from what ive read, having rather low traffic numbers myself ive never bothered to investigate the exact details there..
      Regards PiBa-NL

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received