Hello Julian,
On Thu, 22 Nov 2018 at 18:11, Julian Wiesener <[email protected]> wrote: > > Hello, > > one of our clients runs a haproxy setup with a 2000+ SSL-Certificates on > multiple IPs. > > As an OpenSSL CTX needs to be created for each certificate for each sockets, > restarting or reloading the config takes several minutes. Therfore i like to > propose > to share the CTX for on multiple sockets, which reduces the reload-times to > acceptable values (~9 secs+0.5 per IP instead of 8 oer IP on our testsetup). Trying to understand the use-case better here, binding to any IP is not acceptable? Your client *needs* to bind to specific IPs? Like: bind :443 ssl crt /etc/... Binding to different IPs should be also possible though: bind 10.0.0.1:443,10.0.0.2:443,10.0.0.4,443 ssl crt /etc/ I'd assume such a configuration would only create a single CTX, do you know whether that is in fact the case (as it's just an assumption)? Just looking for the simplest possible approach here ... Regards, Lukas
