Hi Baptiste, On Tue, Apr 01, Baptiste wrote: > Hi Jarno, > > some informations available here: > http://blog.exceliance.fr/2013/06/13/ssl-client-certificate-information-in-http-headers-and-logs/ > and here: > http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/
Thanks. crt-ignore-err 18,19,20,27,21 seems to allow connection with client certificate that server can't verify. ExportCertData / nginx $ssl_client_cert: What I would need is the client certficicate in pem format (this is for java web application that does it's own certificate checks (shibboleth-idp backchannel connections)). I guess this is not possible w/out any code changes. > concerning nbproc, you should makes all your SSL processes to point to > a single HAProxy process in clear where you do your stick-table stuff. > Each frontend and backend must be in the same process, so you must > pass information through the loopback interface between you SSL > frontends and your HTTP with stich-table backends. I'm not sure if I understand you correctly. You don't happen to have any configuration examples ? -Jarno PS. Thank you for your blog posts. Very useful resource. > Baptiste > > > On Tue, Apr 1, 2014 at 1:58 PM, Jarno Huuskonen <[email protected]> > wrote: > > Hello, > > > > I have couple of haproxy(1.5dev22 snapshot) ssl related questions: > > > > Is it possible to use mod_ssl compatible "optional_no_ca" client > > cert verify with haproxy: > > - is it possible to use "ca-ignore-err" for this. > > (I think apache 2.2.7(mod_ssl) ignores these errors w/optional_no_ca: > > #define ssl_verify_error_is_optional(errnum) \ > > ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ > > || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ > > || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ > > || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ > > || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) > > ) > > - so ca-ignore-err 18,19,20,27,21 should be same as "optional_no_ca" ? > > - or is the correct keyword crt-ignore-err (or both :) ? > > > > Is it possible to send the client certificate to backend server in header > > (similar to mod_ssl +ExportCertData / nginx $ssl_client_cert): > > - I think something like: > > http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_cert] > > - AFAIK currently there's no keyword / code for this ? But would it be > > possible to add new smp_fetch_ssl_c_* function for this ? > > (I might try to code it myself if this sounds reasonable ?) > > > > - ssl offloading and nbproc: > > - is nbproc > 1 recommended way to handle ssl offloading if one core > > is not able to handle the load ? > > - is it possible to use stick tables with nbproc > 1: > > - for example bind-process 1-3 to ssl enabled frontends and > > bind-process 4 for backends -> is it possible to use stick tables > > on backends ? > > - stick table peers with nbproc > 1 ? > > > > Thanks, > > -Jarno > > -- Jarno Huuskonen - System Administrator | jarno.huuskonen atsign uef.fi Univ. of Eastern Finland - Computer Center | Work: +358-40-3552822 PO BOX 1627, 70211 Kuopio, Finland
