Hello Andrii, On Wed, Jan 08, 2025 at 04:23:56PM +0100, Andrii Ustymenko wrote: > Dear list, > > As of now haproxy supports hosting different types of certificates on the > same ip with certificates bundling: > https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files > > That works fine with Openssl library, but doesn't seem to work with aws-lc > ssl library. > > When haproxy is built with aws-lc ssl haproxy is able to use only one > certificate per endpoint. > > I have tried the following configurations with aws-lc ssl: > > 1) Multiple crt and ciphers in bind: > > /bind 0.0.0.0:443 ssl crt example-rsa.pem crt example-esdsa.pem/ > > In this case the first declared certificate is used. Depending on the order > it can be ecc or rsa > > 2) Bundling as described in > https://docs.haproxy.org/3.0/configuration.html#ssl-load-extra-files: > > /bind 0.0.0.0:443 ssl crt example.pem/ > > And two files with certificate extensions: > > /example.pem.ecdsa > example.pem.rsa/ > > In this case always ecc (ecdsa) certificate is being used. > > Both examples above work fine with openssl > > Are there any other options to try? > > Thanks!
We are still working on improving the AWS-LC support in HAProxy, and some of the features require an up to date version. We try to detail our progress on this page: https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status The ECDSA+RSA selection requires HAProxy 3.1 and an up to date AWS-LC version, you won't be able to make it work with haproxy 3.0. Regards, -- William Lallemand
