> Le 28 févr. 2017 à 11:29, mlist <[email protected]> a écrit : > > I tried this config: > > . haproxy.conf: > bind <IP1>:443 ssl crt-list /etc/haproxy/crt-list.txt > > . crtlist.cfg: > <path>/cert1.pem [ca-file /<path>/ca1.pem ca-file /<path>/ca1.pem verify > optional] > <path>/cert2.pem > <path>/cert3.pem > > but any request for any domain for any hostname pop-up on the client side > client certificate selection window like this: > > <image003.jpg> > > also for domain not in cert1.pem (but in cert2.pem and cert3.pem) > > Also > - what is the default certificate for not-SNI client if one use > crt-list file instead of crt on bind line ? (without crt-list file is the > first crt in the bind line)
The default cert is always the first cert parsed. It’s cert1.pem in your configuration. The default cert is a source of errors because it's used in the SSL negotiation. The [ca-file <pem> verify optional] is also present in the SSL negotiation, the switch to the correct cert will not override it. => You must move the cert1.pem later in your configuration and let the default cert as neutral as possible. It’s a open problem with openssl. I have trying to create a neutral SSL context (without any certificat) before select the certificat, but openssl don’t like that. Without a real solution, this behaviour should be documented. > - what if one need to discriminate between 2 hostname in the some > domain ? (i.e. haproxy ask for client certificate only for request to > aaa.dom1.com <http://aaa.dom1.com/>, but not for other hostname of dom1.com > <http://dom1.com/>) ? > You must used snifilter in crt-list file. With cert1 have CN/SAN dom1.com <http://dom1.com/> and *.dom1.com cert1.pem [ca-file <pem> verify optional] aaa.dom1.com <http://aaa.dom1.com/> Only aaa.dom1.com <http://aaa.dom1.com/> will be serve. you can also do: cert1.pem [ca-file <pem> verify optional] aaa.dom1.com <http://aaa.dom1.com/> cert1.pem *.dom1.com <http://dom1.com/> dom1.com <http://dom1.com/> will be not serve and only aaa will require ca cert. You should also used 'strict-sni' in bind conf. Manu
