Fwd: Client Certificates need dedicated IP:443 bind

[Emmanuel Hocdet]

> Début du message réexpédié :
> 
> De: Emmanuel Hocdet <m...@gandi.net>
> Objet: Rép : Client Certificates need dedicated IP:443 bind
> Date: 27 février 2017 à 11:00:11 UTC+1
> À: mlist <ml...@apsystems.it>
> 
> Hi
> 
> you can do:
> 
> . crtlist.cfg:
> cert1.pem
> cert2.pem [ca-file /<path>/ca2.pem verify optional]
> 
> . haproxy.conf:
> bind ip1:443 ssl crt-list /<path>/crtlist.cfg
> 
> 
>> Le 25 févr. 2017 à 00:38, mlist <ml...@apsystems.it 
>> <mailto:ml...@apsystems.it>> a écrit :
>> 
>> Hi Emmanuel,
>> can you write example of a file for “crt-list file” to share ip1:port 
>> frontend using
>> “verify optional” requesting certificate to client only if client is for 
>> dom3 ?
>> Where it is possible to put verify optional instead of in bind ?
>>  
>> bind ip1:443 ssl crt /<path>/cert1.pem crt /<path>/cert2.pem ca-file 
>> /<path>/ca1.pem ca-file /<path>/ca2.pem verify optional
>>    …
>>    acl dom1 hdr_dom(host) -i www.dom1.com <http://www.dom1.com/>
>>    use_backend dom1_be if dom1
>>  
>>    acl dom2 hdr_dom(host) -i www.dom2.com <http://www.dom2.com/>
>>    use_backend dom2_be if dom2
>>  
>>    acl dom3 hdr_dom(host) -i www.dom3.com <http://www.dom3.com/>
>>    use_backend dom3_be if dom3
>>  
>>  
>> backend dom1_be
>>    mode http
>>    server …
>>  
>> backend dom2_be
>>    mode http
>>    server …
>>  
>> backend dom3_be
>>    mode http
>>    server …
>>   
>>  
>>  
>>  
>>  
>>  
>> From: Emmanuel Hocdet [mailto:m...@gandi.net <mailto:m...@gandi.net>] 
>> Sent: venerdì 24 febbraio 2017 16.14
>> To: mlist <ml...@apsystems.it <mailto:ml...@apsystems.it>>
>> Subject: Re: Client Certificates need dedicated IP:443 bind
>>  
>>  
>> Le 24 févr. 2017 à 15:48, mlist <ml...@apsystems.it 
>> <mailto:ml...@apsystems.it>> a écrit :
>>  
>> Ok: I see:
>>  
>> + crt-list file example:
>> …
>> +        certW.pem                   *.domain.tld !secure.domain.tld
>>  
>> Do you know when 1.8 will be usable in production ?
>>  
>>  
>>  
>> End 2017 for 1.8.0.
>> Actual 1.8 is almost the same as current 1.7 + ssl configuration per 
>> certificate.
>> The expected stability is the same as 1.7.
>>  
>> 
>> 
>> From: Emmanuel Hocdet [mailto:m...@gandi.net <mailto:m...@gandi.net>] 
>> Sent: venerdì 24 febbraio 2017 13.08
>> To: mlist <ml...@apsystems.it <mailto:ml...@apsystems.it>>
>> Subject: Re: Client Certificates need dedicated IP:443 bind
>>  
>>  
>> You need to see the last 1.8 (with the per certificat ssl configuration 
>> patch).
>> Configuration manual is also uptodate with examples.
>>  
>> Le 24 févr. 2017 à 13:04, mlist <ml...@apsystems.it 
>> <mailto:ml...@apsystems.it>> a écrit :
>>  
>> Can you tell more details ?
>>  
>> I see this in the 1.8 configuration manual. It seems a mechanism for SNI 
>> filter for server certificate
>> Ho can this be used also for Client Certificates ? How ?
>>  
>> Thenk you
>>  
>> crt-list <file>
>>   This setting is only available when support for OpenSSL was built in. It
>>   designates a list of PEM file with an optional list of SNI filter per
>>   certificate, with the following format for each line :
>>  
>>         <crtfile> [[!]<snifilter> ...]
>>  
>>   Wildcards are supported in the SNI filter. Negative filter are also 
>> supported,
>>   only useful in combination with a wildcard filter to exclude a particular 
>> SNI.
>>   The certificates will be presented to clients who provide a valid TLS 
>> Server
>>   Name Indication field matching one of the SNI filters. If no SNI filter is
>>   specified, the CN and alt subjects are used. This directive may be 
>> specified
>>   multiple times. See the "crt" option for more information. The default
>>   certificate is still needed to meet OpenSSL expectations. If it is not 
>> used,
>>   the 'strict-sni' option may be used.
>>  
>>   Multi-cert bundling (see "crt") is supported with crt-list, as long as only
>>   the base name is given in the crt-list. SNI filter will do the same work on
>>   all bundled certificates.
>>  
>>  
>>  
>>  
>>  
>> From: Emmanuel Hocdet [mailto:m...@gandi.net <mailto:m...@gandi.net>] 
>> Sent: venerdì 24 febbraio 2017 11.33
>> To: mlist <ml...@apsystems.it <mailto:ml...@apsystems.it>>
>> Cc: haproxy@formilux.org <mailto:haproxy@formilux.org>
>> Subject: Re: Client Certificates need dedicated IP:443 bind
>>  
>>  
>> Hi Roberto,
>>  
>> Le 24 févr. 2017 à 09:04, mlist <ml...@apsystems.it 
>> <mailto:ml...@apsystems.it>> a écrit :
>>  
>> Hi,
>>  
>> We configured haproxy for client certificates:
>>  
>> bind <IP>:443 ssl crt <path> ca-file <path> verify optional
>>  
>> Configuring in this way (at bind stage), however, haproxy always ask client 
>> certificate
>> if present in the certificate store - for all domain, for all backends.
>>  
>> There is solution so haproxy ask/manage client certificates only for 
>> specific domain
>> or other request matching  ?
>>  
>> So it is possible to share a bind on <IP>:443 port for mixed backends, 
>> accepting/requesting
>> client certificates and other not using client certificates.
>>  
>> Roberto
>>  
>> You can do that with 'crt-list' in 1.8dev.
>>  
>> Manu
>