Re: ssl sni and client certificate verification

Tue, 02 Jul 2013 08:49:32 -0700 

Hi Baptiste,

Thanks for links. It's all working.
I need to test one more setup

SNI + clientsserver on one IP
To have SNI based SSL off load virtual hosting and dome of the domains
must require SSL VERIFIY.

To the BIND directive the CA-FILE directive could be specified only once.

For NGINX si this setting in each "server" directive.


        Best regards
                Peter

-----Original Message-----
From: Baptiste <[email protected]>
Date: Tuesday, July 2, 2013 11:13 AM
To: Hudec Peter <[email protected]>
Cc: Lukas Tribus <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: ssl sni and client certificate verification

>Hi Peter,
>
>A few more information about HAProxy features and client certificate:
>http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-
>application-level/
>http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in
>-http-headers-and-logs/
>
>Baptiste
>
>
>On Tue, Jul 2, 2013 at 10:39 AM, Hudec Peter <[email protected]> wrote:
>> Thanks Lukas,
>>
>> I will try 1.5 version.
>>
>> But for Debian this version is in experimental now ;( I will look if
>>some
>> already done for Wheezy.
>>
>>         Best regards
>>                 Peter Hudec
>>
>> -----Original Message-----
>> From: Lukas Tribus <[email protected]>
>> Date: Tuesday, July 2, 2013 10:24 AM
>> To: Hudec Peter <[email protected]>, "[email protected]"
>> <[email protected]>
>> Subject: RE: ssl sni and client certificate verification
>>
>>>Hi Peter!
>>>
>>>
>>>> 1) SSL SNI with SSL offload
>>>> As I read the docs, this is supported only in version 1.%, which is
>>>>still
>>>> not stable. Is there any way how to do this on 1.$ without nginx as
>>>> frontend?
>>>
>>>SSL offload does work only in 1.5. In 1.4 you need to do this with
>>>stunnel
>>>or stud, but that's a lot more complex and error prone than to simple
>>>use
>>>1.5.
>>>I'm not sure client verification is supported with stunnel or stud.
>>>
>>>I suggest you give haproxy 1.5-dev19 a try. It's already in use by a lot
>>>of
>>>people in production despite its not declared stable.
>>>
>>>
>>>
>>>> 2) SSL client verfication
>>>> I did not found the how to enforce the client verification on the
>>>>haproxy
>>>
>>>On the bind line, add "verify required":
>>>http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-verify
>>>
>>>You will also need to configure the CA file for verification (keyword:
>>>ca-file).
>>>
>>>
>>>Regards,
>>>
>>>Lukas
>>

Reply via email to