Re: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard

[Cyril Bonté]

Hi all,

Le 28/03/2015 10:24, Lukas Tribus a écrit :
In fact, I am sure its a bug.
I also happen to have the following certs:
*.apps.mycompany.com.au
*.its.apps.mycompany.com.au

If I go to sitea.its.apps.mycompany.com.au, I get the
*.apps.mycompany.com.au certificate

The workaround in the meantime is to make sure haproxy
loads the more specific (longer) wildcard certificate before
the less specific certificate.

This should make it work until there's a fix for this.

Currently, using only CN I'm unable to reproduce any issue.

I've generated 3 self signed certificates
- site.localhost
- *.site.localhost
- *.sub.site.localhost

And the test configuration is as follow :
  global
    tune.ssl.default-dh-param 2048

  listen sni
    mode http
    bind :9443 ssl crt sni/pem/

    server s 127.0.0.1:80


The tests were done with various orders in the "sni/pem" directory.

$ curl -kvs https://site.localhost:9443/ 2>&1 | grep subject
*        subject: C=FR; ST=Local; L=Local; O=Local; OU=Local; 
CN=site.localhost; emailAddress=local@localhos

=> The certificate for site.localhost is provided, as expected.

$ curl -kvs https://a.site.localhost:9443/ 2>&1 | grep subject
*        subject: C=FR; ST=Local; L=Local; O=Local; OU=Local; 
CN=*.site.localhost; emailAddress=local@localhost

=> The certificate for *.site.localhost is provided, as expected.

$ curl -kvs https://sub.site.localhost:9443/ 2>&1 | grep subject
*        subject: C=FR; ST=Local; L=Local; O=Local; OU=Local; 
CN=*.site.localhost; emailAddress=local@localhost

=> The certificate for *.site.localhost is provided, as expected.

$ curl -kvs https://a.sub.site.localhost:9443/ 2>&1 | grep subject
*        subject: C=FR; ST=Local; L=Local; O=Local; OU=Local; 
CN=*.sub.site.localhost; emailAddress=local@localhost

=> The certificate for *.sub.site.localhost is provided, as expected.

$ curl -kvs https://b.a.sub.site.localhost:9443/ 2>&1 | grep subject
*        subject: C=FR; ST=Local; L=Local; O=Local; OU=Local; 
CN=*.sub.site.localhost; emailAddress=local@localhost

=> Here, the first loaded certificate was the one for 
*.sub.site.localhost, which is the one provided, as expected.

$ curl -kvs https://b.a.sub.site.localhost:9443/ 2>&1 | grep subject
*        subject: C=FR; ST=Local; L=Local; O=Local; OU=Local; 
CN=site.localhost; emailAddress=local@localhost

=> After modifying the certificates order the first loaded certificate 
was the one forsite.localhost, which is the one provided, as expected.


--
Cyril Bonté