Hello there,
While testing SSL termination with Haproxy, I came across a strange behavior,
and wonder if this is a bug or something expected.
I have a self-signed X509 certificate without CN. So the cert looks like this:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 11926082458965984689 (0xa581f4cf30af45b1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XX, L=Default City, O=Default Company Ltd
Validity
Not Before: Jul 15 22:56:12 2015 GMT
Not After : Jul 14 22:56:12 2016 GMT
Subject: C=XX, L=Default City, O=Default Company Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Then I added cipher string in the binding.
bind 0.0.0.0:8443 ssl crt /var/lib/load-balancer-servo/certwithoutcn/cert.pem
no-sslv3 no-tlsv10 no-tlsv11 ciphers DHE-RSA-AES256-SHA256
Then haproxy does not honor the protocols and specified cipher string and the
list of accepted cipher is the same as the case without protocol&cipher option
(so it’s openssl default). When the cert with CN (any CN, valid or invalid) is
used, then the cipher string is correctly honored.
Is this a bug?
-------------------
Sang-Min Park – Software Engineer
HP Helion Cloud
