Commits on Feb 10, 2020
Feb 10, 2020
This patch provides a schematic of the new architecture based on the struct cert_key_and_chain which appeared with haproxy 2.1. Could be backported in 2.1
Commits on Feb 7, 2020
Feb 7, 2020
The code which is supposed to apply the bind_conf configuration on the SSL_CTX was not called correctly. Indeed it was called with the previous SSL_CTX so the new ones were left with default settings. For example the ciphers were not changed. This patch fixes #429. Must be backported in 2.1.
Commits on Feb 5, 2020
Feb 5, 2020
In ssl_sock_load_dh_params(), if haproxy failed to apply the dhparam with SSL_CTX_set_tmp_dh(), it will apply the DH with SSL_CTX_set_dh_auto(). The problem is that we don't clean the OpenSSL errors when leaving this function so it could fail to load the certificate, even if it's only a warning. Fixes bug #483. Must be backported in 2.1.
Commits on Feb 3, 2020
Feb 3, 2020
This new setting in the global section alters the way HAProxy will look for unspecified files (.ocsp, .sctl, .issuer, bundles) during the loading of the SSL certificates. By default, HAProxy discovers automatically a lot of files not specified in the configuration, and you may want to disable this behavior if you want to optimize the startup time. This patch sets flags in global_ssl.extra_files and then check them before trying to load an extra file.