Support dual RSA+EC certificates #169
Comments
alexshpilkin
changed the title
|
It would be really great to get this into hitch, but it seams hitch doesn't get much love from varnish team... |
|
Is this something that is on the radar? Am running into the same issue and trying to decide on a path to resolution. |
|
Hi, This is definitely on the roadmap, and is just limited by the OpenSSL upgrade I believe. |
|
Is this something the hitch team would like to develop internally? Would you be willing to accept an outside patch? I've access to some development resources that I might be able to offer. |
|
@zi0r, we are definitely open to contributions! Please have a go at it if you can |
|
If you have any requests/thoughts on a rough implementation strategedy, I'd love to be able to hear what you are thinking. It will probably enable us to more rapidly reach something we're both happy with! |
|
let me check with my colleagues if they have any view on that. On the user-side, from what I get, there's nothing to configure, apart from specifying the right certificates, then Hitch should just do the right thing™. We'll obviously want tests covering this, but we can work on that later on |
|
Hello @zi0r, we talked about this, and we don't have feedback at the moment other than "keep it clean and simple" :-) I'm on the varnish IRC channels if you want to discuss this in a more synchronous manner |
As far as I can tell from the code, Hitch currently selects the certificate to present based only on the name provided by SNI (if any). If one wants to use EC certificates (supported after #116) and support legacy RSA-only clients, it is necessary to keep RSA and EC certificates for the same domain simultaneously and choose also depending on the negotiation parameters. For example, this question on ServerFault discusses configuring this in Apache ≥2.4.8: https://serverfault.com/q/665296/.
The text was updated successfully, but these errors were encountered: