This is my mistake. The option "strict-sni" works right.
On Fri, Feb 26, 2016 at 03:39:24PM +0300, Alexey Vlasov wrote:
> Hi,
>
> Thank you for your answer!
>
> Yes, it seems that this option is what I actually need. But
> unfortunatelly it doesn't work every time.
>
> The following is right and what I need:
>
> # openssl s_client -servername test-l32-apache-aux4.1gb.ru -connect
> test-l32-apache-aux4.1gb.ru:443
>
> CONNECTED(00000003)
> 139907011864232:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> unrecognized name:s23_clnt.c:770:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 344 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> I start it once more:
>
> # openssl s_client -servername test-l32-apache-aux4.1gb.ru -connect
> test-l32-apache-aux4.1gb.ru:443
> CONNECTED(00000003)
> depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
> = AddTrust External CA Root
> verify return:1
> depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
> Limited, CN = COMODO RSA Certification Authority
> verify return:1
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
> Limited, CN = COMODO RSA Domain Validation Secure Server CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = Hosted by OnlineNic Inc, OU
> = PositiveSSL, CN = salondm.com
> verify return:1
> ---
> Certificate chain
> 0 s:/OU=Domain Control Validated/OU=Hosted by OnlineNic
> Inc/OU=PositiveSSL/CN=salondm.com
> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Domain Validation Secure Server CA
> 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Domain Validation Secure Server CA
> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Certification Authority
> 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> RSA Certification Authority
> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFaDCCBFCgAwIBAgIRAOkDDvW7sOaSzvlgSrCmO2AwDQYJKoZIhvcNAQELBQAw
> gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
> BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
> VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
> Q0EwHhcNMTUxMTE4MDAwMDAwWhcNMTYxMTE3MjM1OTU5WjBxMSEwHwYDVQQLExhE
> b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxIDAeBgNVBAsTF0hvc3RlZCBieSBPbmxp
> bmVOaWMgSW5jMRQwEgYDVQQLEwtQb3NpdGl2ZVNTTDEUMBIGA1UEAxMLc2Fsb25k
> bS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCts/c3eQRTRVvB
> gv2/CXI+sHEwLYQS4E7L+nDWZgkNiQ9yRXkL2RwJ9RW4hREBqKyUZ6jcY7ftfM1z
> P1GRyjShejZ2Q+o4l26BTERZ4YFIoq4MVElZwkTTFC/deAQhALnEc1PTfCSb4QdK
> LI8yVy7u10hrjw8LoOu1pldRuEzqiU/KO/9E/GKHtLLjmYnEuP4xSCl+poz/ceXS
> RUehZTWoO8kKaVR5hblF2WB6MZNjjCn99h+s761U0Q9t/LVUy1JobaA3QDmigy0t
> dz9qL7HN/muWQUITUzIb9dBalcp0c/GRJ9XH15OdfRkMHZ3XrTAkZWdEsFc78Rqo
> odjeV/ZbAgMBAAGjggHZMIIB1TAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0
> Oija5zAdBgNVHQ4EFgQU2OUiNeYKowQegR6jR5v78ib60LswDgYDVR0PAQH/BAQD
> AgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
> ME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6
> Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBH
> oEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlk
> YXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEF
> BQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFs
> aWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29j
> c3AuY29tb2RvY2EuY29tMCcGA1UdEQQgMB6CC3NhbG9uZG0uY29tgg93d3cuc2Fs
> b25kbS5jb20wDQYJKoZIhvcNAQELBQADggEBABDEYzAowXA03JNOhdVR2yunobvF
> ACgN7iE/H0dCloUSNsTZ2olCmaxgFdZHknETdLSaZW+Xj61l9DBm1XEcKZfxEVUo
> NdWbEpSmXVyJOXK1wooTX5EPNSVHWuvKQiI+hAJwtZUpp3LqgovKnrBCBtrDalJp
> IgEiyfO9psokajzOBPX+CW7XBTPkA22+2yQxQSnGsnNhEWfNm25PUKZzItV4vscm
> m5s68V+DRkwOvJrrvc4U+Mfwy4KKaShGU59SrmP0iWhuxnIE5U3BgES5Wurqu6ac
> 83r3h9YnrQUbDRokc4NR9ZwjQmmwxLSuZIRghMILbqkYf8PjwZKjSxVOoIs=
> -----END CERTIFICATE-----
> subject=/OU=Domain Control Validated/OU=Hosted by OnlineNic
> Inc/OU=PositiveSSL/CN=salondm.com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
> Limited/CN=COMODO RSA Domain Validation Secure Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5037 bytes and written 470 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 3DF903C4D89B55EB8903A43A189CE5A93227354918A7B0BE929DDA4063CDFD63
> Session-ID-ctx:
> Master-Key:
> F3089F057914890F322150867371A05422A9332ABB7D3D046FFDCB6B62E4F5B086DAB6A4B2F7EA1F44D621E2664380B6
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> TLS session ticket:
> 0000 - b7 ba 6e b4 bb 31 5e 5c-ea f4 0c 4c 93 b8 4d c6
> ..n..1^\...L..M.
> 0010 - 54 d6 a4 8a 50 f8 d6 e8-29 3b 01 ff 6a 60 6d 6d
> T...P...);..j`mm
> 0020 - 4d 70 b9 97 bd 21 18 fa-46 a9 81 a4 c3 b8 e2 03
> Mp...!..F.......
> 0030 - 53 7a e9 be f0 cc 8a 68-bb 2e 65 9c 09 ad c4 99
> Sz.....h..e.....
> 0040 - c5 10 70 34 3a 44 7d 1e-0b e1 d5 67 bf 4d 8f 26
> ..p4:D}....g.M.&
> 0050 - 09 5a 1d 46 0d b0 d8 90-60 f5 2e 54 86 31 e3 2a
> .Z.F....`..T.1.*
> 0060 - 0b fb 98 a1 b1 a0 a8 6a-bd fc 58 dc 24 1a ac 86
> .......j..X.$...
> 0070 - dc 67 06 41 2b 28 89 72-52 62 2c 55 09 5e 6f 3f
> .g.A+(.rRb,U.^o?
> 0080 - f3 26 36 ea c8 c0 6c ce-89 97 70 71 5e 8e b6 65
> .&6...l...pq^..e
> 0090 - d1 42 a5 9d 9c 89 f0 3f-af 1d a6 48 ca 7d 4f 73
> .B.....?...H.}Os
> 00a0 - 89 a1 d8 c3 10 fe ee 46-3b 7b 3c 4c 59 83 25 08
> .......F;{<LY.%.
> 00b0 - b8 65 4c da 84 26 e2 6e-77 d8 ad 9e be 76 73 41
> .eL..&.nw....vsA
>
> Start Time: 1456490227
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
>
>
> So as you see it doesn't work.
>
>
> On Wed, Feb 24, 2016 at 07:18:00PM +0100, PiBa-NL wrote:
> > Hi,
> > Op 24-2-2016 om 12:13 schreef Alexey Vlasov:
> > > Hi,
> > > To enable HTTPS access
> > > only for sites with issued certificate, for other sites HTTPS access
> > > should be unavailable. And preferably I would like to disable the
> > > approval procedure (handshake SSL) for those "uncertificated" hosts,
> > Have you checked if strict-sni perhaps matches your desired effect?
> > http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#strict-sni
> >
> > Regards
> > PiBa-NL
>
