Hi Evan, On Sun, Aug 04, 2013 at 07:44:11PM +0100, Evan Broder wrote: > Although HAProxy can verify the SSL certs of an SSL-enabled server > against a CA chain, it currently doesn't check the actual hostname on > the cert, meaning that it will accept any cert signed by any major CA > (and thus can be man-in-the-middle'd simply by controlling DNS). > > I've been working on a patch to allow specifying the hostname that a > certificate must match. This allows you to specify "verifyhost > <hostname>" as a parameter to a server statement, e.g. > > server google google.com:443 ssl verify required verifyhost google.com > > There's a bit of complexity in the code due to handling wildcard > subjects and subjectAlternateNames, but it seems to work correctly in > my testing. > > I've attached my current version of the patch. I wanted to offer it up > for feedback on both the code itself and things like the name of the > option before I wrote docs, etc. If the patch seems reasonable, I'm > happy to write up the docs for it.
Sorry, I missed this patch, but fortunately Lukas pointed it to me. Next time, please prefix your subject with "[PATCH]" or something like this so that I don't miss it! It is very clean and well documented, good job! It looks OK to me. Do you want me to merge it now or do you prefer to resend it with the doc ? It's as you like, just tell me what you prefer. Thanks, Willy
