On Sat, Dec 14, 2013 at 4:26 PM, Ghislain <[email protected]> wrote:
> hi,
>
> i experienced a strange thing in haproxy today. I use
>
> bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/ ciphers HIGH:!aNULL:!MD5
>
>
> in /etc/haproxy/ssl/ i had 2 files
>
> domaineA.pem
> domaineB.pem
>
>
> DomainA.pem was only key+cert
> DomainB.pem was key+cert+intermediateCA
>
>
> Note that the 2 domains and certs are different but belong to the same
> provider, here rapidssl.
>
> When asked to access domaineB in https, haproxy would not return the
> intermediateCA in this situation make the trust chain invalid in chrome.
>
> I fighted a lot and then eventually look at the other pem file and noticed
> that domainA was lacking it's intermediate cert. I added it and then when i
> done https://domaineB, i was getting the intermediate cert right (even if it
> was allready in domainB pem file and that domainA is unrelated).
>
> So i wonder if it is normal, as the domainB.pem was good, haproxy decided
> to not send the intermediate until i loaded it into domaineA.pem also ?
>
>
> best regards,
> Ghislain.
>
Hi Ghislain,
when loading certificates from a directory, HAProxy uses SNI to know
which certificate to use.
If the client does not deliver any SNI information, then HAProxy will
deliver the first certificate loaded from the directory.
So in your case, I would say the client does not send any SNI
information hence HAProxy presented the wrong certificate (or at least
the one without the intermediate).
You can configured HAProxy to log TLS version and SNI information
using the log-format directive.
I often use the log-format line below (this is a compatible HTTP log
line with SSL information embedded):
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
%CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
{%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ %{+Q}r
which allows you to log the TLS version, SSL cipher negociated, SNI, session ID.
Before the URL, you'll find such type of information:
{TLSv1/RC4-MD5/-/393ABC19DBA1C9C8E0269193A6F5FF33BE0DB7F4AE27318A4AA64F998EEB774D}
In this case, the client did not send the SNI (third information is a hyphen).
Please let us know if this helped you.
Baptiste
