Skip to content

missing support for RSA/ECDSA dual stack #2722

New issue
New issue
Closed
Closed
missing support for RSA/ECDSA dual stack#2722
Labels
TLS
Milestone
8.0.1
@thelounge-zz

Description

@thelounge-zz
thelounge-zz
opened on Oct 29, 2017

for httpd it is no problem to have "SSLCertificateFile" twice, one pointing to the RSA and one to the ECDSA certificate and so mordern clients negotiate ECDSA (much faster handshakes) while older clients still can use RSA

see here for httpd and nginx versus the error messages at bottom in case of Trafficserver
https://blog.joelj.org/dual-rsaecdsa-certificates-in-apache-2-4/
https://scotthelme.co.uk/hybrid-rsa-and-ecdsa-certificates-with-nginx/

[root@testserver:/var/log/trafficserver]$ cat /etc/trafficserver/ssl_multicert.config
ssl_cert_name=/var/lib/letsencrypt/certs/rhsoft.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/uploadprogress.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/mailadmin.conf_rsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/uploadprogress.conf_rsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/0000-default.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/contentlounge.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/rhsoft.conf_rsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/webmail.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/contentlounge.conf_rsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/0000-default.conf_rsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/corecms.conf_rsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/afi.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/corecms.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/mailadmin.conf_ecdsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/afi.conf_rsa.pem
ssl_cert_name=/var/lib/letsencrypt/certs/webmail.conf_rsa.pem

[Oct 29 18:01:50.921] Server {0x154f5b4d1cc0} NOTE: loading SSL certificate configuration from /etc/trafficserver/ssl_multicert.config
[Oct 29 18:01:50.944] Server {0x154f5b4d1cc0} WARNING: previously indexed 'uploadprogress.testserver.rhsoft.net' with SSL_CTX 0x2, cannot index it with SSL_CTX #4 now
[Oct 29 18:01:50.961] Server {0x154f5b4d1cc0} WARNING: previously indexed 'rhsoft.testserver.rhsoft.net' with SSL_CTX (nil), cannot index it with SSL_CTX #6 now
[Oct 29 18:01:50.961] Server {0x154f5b4d1cc0} WARNING: previously indexed 'testserver.rhsoft.net' with SSL_CTX 0x1, cannot index it with SSL_CTX #6 now
[Oct 29 18:01:50.972] Server {0x154f5b4d1cc0} WARNING: previously indexed 'contentlounge.testserver.rhsoft.net' with SSL_CTX 0x5, cannot index it with SSL_CTX #7 now
[Oct 29 18:01:50.978] Server {0x154f5b4d1cc0} WARNING: previously indexed 'default.testserver.rhsoft.net' with SSL_CTX 0x4, cannot index it with SSL_CTX #7 now
[Oct 29 18:01:50.995] Server {0x154f5b4d1cc0} WARNING: previously indexed 'corecms.testserver.rhsoft.net' with SSL_CTX 0x7, cannot index it with SSL_CTX #9 now
[Oct 29 18:01:51.001] Server {0x154f5b4d1cc0} WARNING: previously indexed 'mailadmin.testserver.rhsoft.net' with SSL_CTX 0x3, cannot index it with SSL_CTX #9 now
[Oct 29 18:01:51.006] Server {0x154f5b4d1cc0} WARNING: previously indexed 'afi.testserver.rhsoft.net' with SSL_CTX 0x8, cannot index it with SSL_CTX #9 now
[Oct 29 18:01:51.012] Server {0x154f5b4d1cc0} WARNING: previously indexed 'webmail.testserver.rhsoft.net' with SSL_CTX 0x6, cannot index it with SSL_CTX #9 now

Metadata

Metadata

Assignees

No one assigned

    Labels

    TLS

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions