HAProxy community

Client certificate revocation (CRL), long life connections, etc


#1

I am trying to understand the CRL capabilities in HAProxy. Specifically, we are running HAProxy in a container and are refreshing the CRL data source outside of the container several times a day. We support around 30 different certificate issuers, all of whom re-issue their CRLs on various schedules, and with varied frequency.

Some specific questions I have:

  1. has anyone solved the hot-reloading issue - that is, is there a “reload” type command that will gracefully reload the CRL files?
  2. if restart of HAProxy is required, is there a preferred approach (like a master HAProxy process that does no CRL verification and lives for a long time that offloads to n child processes that can come and go?
  3. Is there a limit to the size of a single CRL file? Apache supports using an entire directory of CRL files (via SSLCARevocationPath ), which comes into play for us. Several of the CRL files we support (issued by US Government) are many MB in size. A combined CRL file often reaches 300+MB. nginx has been ruled out for us because of this exact issue (it can’t handle large CRL files and doesn’t support the directory approach)