HAProxy community

CRL reload and long life tcp connections


#1

Hi,

I have to use HAProxy to enforce TLS encryption to application flow.

I use following feature

  • Multiple server certificates
  • client certificate verify
  • crl checking

Application flow imply long life tcp connections, which have as consequence that we have to avoid to restart or reload configuration. Indeed as the reload keep current connections attached on original process, it will result in a multiplication of HAProxy instance.

It’s especially true with CRL refresh that I have to do periodically. Is there work in progress to add he hot reload of crl file?
For example using unix socket command, like to set new maxconn , it could allow to use these new data for new connections…

An over approach wil be to deal with long term connection during reload, but I haven’t found relevant resouces, only high availability seems to be handle.

Anyone have similar needs or may be solutions?

Regards


#2

I am also trying to understand the CRL capabilities in HAProxy. Specifically, we are running HAProxy in a container and are refreshing the CRL data source outside of the container several times a day. We support around 30 different certificate issuers, all of whom re-issue their CRLs on various schedules, and with varied frequency.

Some specific questions I have:

  1. has anyone solved the hot-reloading issue?

  2. if reload of HAProxy is required, is there a preferred approach (like a master HAProxy process that does no CRL verification and lives for a long time that offloads to n child processes that can come and go?

  3. Is there a limit to the size of a single CRL file? Apache supports using an entire directory of CRL files (via SSLCARevocationPath), which comes into play for us. Several of the CRL files we support (issued by US Government) are many MB in size. A combined CRL file often reaches 300+MB. nginx has been ruled out for us because of this exact issue (it can’t handle large CRL files and doesn’t support the directory approach)