Hi,
Thank you for your answer!
Yes, it seems that this option is what I actually need. But
unfortunatelly it doesn't work every time.
The following is right and what I need:
# openssl s_client -servername test-l32-apache-aux4.1gb.ru -connect
test-l32-apache-aux4.1gb.ru:443
CONNECTED(00000003)
139907011864232:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
unrecognized name:s23_clnt.c:770:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 344 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I start it once more:
# openssl s_client -servername test-l32-apache-aux4.1gb.ru -connect
test-l32-apache-aux4.1gb.ru:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Hosted by OnlineNic Inc, OU
= PositiveSSL, CN = salondm.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Hosted by OnlineNic
Inc/OU=PositiveSSL/CN=salondm.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaDCCBFCgAwIBAgIRAOkDDvW7sOaSzvlgSrCmO2AwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUxMTE4MDAwMDAwWhcNMTYxMTE3MjM1OTU5WjBxMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxIDAeBgNVBAsTF0hvc3RlZCBieSBPbmxp
bmVOaWMgSW5jMRQwEgYDVQQLEwtQb3NpdGl2ZVNTTDEUMBIGA1UEAxMLc2Fsb25k
bS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCts/c3eQRTRVvB
gv2/CXI+sHEwLYQS4E7L+nDWZgkNiQ9yRXkL2RwJ9RW4hREBqKyUZ6jcY7ftfM1z
P1GRyjShejZ2Q+o4l26BTERZ4YFIoq4MVElZwkTTFC/deAQhALnEc1PTfCSb4QdK
LI8yVy7u10hrjw8LoOu1pldRuEzqiU/KO/9E/GKHtLLjmYnEuP4xSCl+poz/ceXS
RUehZTWoO8kKaVR5hblF2WB6MZNjjCn99h+s761U0Q9t/LVUy1JobaA3QDmigy0t
dz9qL7HN/muWQUITUzIb9dBalcp0c/GRJ9XH15OdfRkMHZ3XrTAkZWdEsFc78Rqo
odjeV/ZbAgMBAAGjggHZMIIB1TAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0
Oija5zAdBgNVHQ4EFgQU2OUiNeYKowQegR6jR5v78ib60LswDgYDVR0PAQH/BAQD
AgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
ME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6
Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBH
oEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlk
YXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEF
BQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFs
aWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AuY29tb2RvY2EuY29tMCcGA1UdEQQgMB6CC3NhbG9uZG0uY29tgg93d3cuc2Fs
b25kbS5jb20wDQYJKoZIhvcNAQELBQADggEBABDEYzAowXA03JNOhdVR2yunobvF
ACgN7iE/H0dCloUSNsTZ2olCmaxgFdZHknETdLSaZW+Xj61l9DBm1XEcKZfxEVUo
NdWbEpSmXVyJOXK1wooTX5EPNSVHWuvKQiI+hAJwtZUpp3LqgovKnrBCBtrDalJp
IgEiyfO9psokajzOBPX+CW7XBTPkA22+2yQxQSnGsnNhEWfNm25PUKZzItV4vscm
m5s68V+DRkwOvJrrvc4U+Mfwy4KKaShGU59SrmP0iWhuxnIE5U3BgES5Wurqu6ac
83r3h9YnrQUbDRokc4NR9ZwjQmmwxLSuZIRghMILbqkYf8PjwZKjSxVOoIs=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Hosted by OnlineNic
Inc/OU=PositiveSSL/CN=salondm.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5037 bytes and written 470 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
3DF903C4D89B55EB8903A43A189CE5A93227354918A7B0BE929DDA4063CDFD63
Session-ID-ctx:
Master-Key:
F3089F057914890F322150867371A05422A9332ABB7D3D046FFDCB6B62E4F5B086DAB6A4B2F7EA1F44D621E2664380B6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b7 ba 6e b4 bb 31 5e 5c-ea f4 0c 4c 93 b8 4d c6
..n..1^\...L..M.
0010 - 54 d6 a4 8a 50 f8 d6 e8-29 3b 01 ff 6a 60 6d 6d
T...P...);..j`mm
0020 - 4d 70 b9 97 bd 21 18 fa-46 a9 81 a4 c3 b8 e2 03
Mp...!..F.......
0030 - 53 7a e9 be f0 cc 8a 68-bb 2e 65 9c 09 ad c4 99
Sz.....h..e.....
0040 - c5 10 70 34 3a 44 7d 1e-0b e1 d5 67 bf 4d 8f 26
..p4:D}....g.M.&
0050 - 09 5a 1d 46 0d b0 d8 90-60 f5 2e 54 86 31 e3 2a
.Z.F....`..T.1.*
0060 - 0b fb 98 a1 b1 a0 a8 6a-bd fc 58 dc 24 1a ac 86
.......j..X.$...
0070 - dc 67 06 41 2b 28 89 72-52 62 2c 55 09 5e 6f 3f
.g.A+(.rRb,U.^o?
0080 - f3 26 36 ea c8 c0 6c ce-89 97 70 71 5e 8e b6 65
.&6...l...pq^..e
0090 - d1 42 a5 9d 9c 89 f0 3f-af 1d a6 48 ca 7d 4f 73
.B.....?...H.}Os
00a0 - 89 a1 d8 c3 10 fe ee 46-3b 7b 3c 4c 59 83 25 08
.......F;{<LY.%.
00b0 - b8 65 4c da 84 26 e2 6e-77 d8 ad 9e be 76 73 41
.eL..&.nw....vsA
Start Time: 1456490227
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
So as you see it doesn't work.
On Wed, Feb 24, 2016 at 07:18:00PM +0100, PiBa-NL wrote:
> Hi,
> Op 24-2-2016 om 12:13 schreef Alexey Vlasov:
> > Hi,
> > To enable HTTPS access
> > only for sites with issued certificate, for other sites HTTPS access
> > should be unavailable. And preferably I would like to disable the
> > approval procedure (handshake SSL) for those "uncertificated" hosts,
> Have you checked if strict-sni perhaps matches your desired effect?
> http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#strict-sni
>
> Regards
> PiBa-NL
