>>> The default cert is always the first cert parsed. It’s cert1.pem in your >>> configuration. >>> The default cert is a source of errors because it's used in the SSL >>> negotiation. >>> The [ca-file <pem> verify optional] is also present in the SSL negotiation, >>> the switch to the correct cert will not override it. >>> => You must move the cert1.pem later in your configuration and let the >>> default cert as neutral as possible.
>>> It’s a open problem with openssl. I have trying to create a neutral SSL >>> context (without any certificat) before select the certificat, but openssl >>> don’t like that. >>> Without a real solution, this behaviour should be documented. Ok. This is actually a problem as we need to use default not-SNI wildcard certificate also for client certificate selection request case, based on some hostname only. So as now we have to change domain for these hostnames or use separate IP bindings, at moment seems to be the simple viable solution. >>>>>> what if one need to discriminate between 2 hostname in the some domain ? >>>>>> (i.e. haproxy ask for client certificate only for request to >>>>>> aaa.dom1.com<http://aaa.dom1.com/>, but not for other hostname of >>>>>> dom1.com<http://dom1.com/>) ? >>> You must used snifilter in crt-list file. With cert1 have CN/SAN >>> dom1.com<http://dom1.com> and *.dom1.com<http://dom1.com> >>> cert1.pem [ca-file <pem> verify optional] aaa.dom1.com<http://aaa.dom1.com> >>> Only aaa.dom1.com<http://aaa.dom1.com> will be serve. >>> you can also do: >>> cert1.pem [ca-file <pem> verify optional] aaa.dom1.com<http://aaa.dom1.com> >>> cert1.pem *.dom1.com<http://dom1.com> >>> dom1.com<http://dom1.com> will be not serve and only aaa will require ca >>> cert. >>> You should also used 'strict-sni' in bind conf. To test your solution, I tried to move cert1.pem later in crtlist.cfg file but if doing so, client certificate selection window is no more presented also using strict-sni. cert1.pem is a wildcard certificate for *.dom1.com (see below), is this a problem if the cert1 is not default ? This is the new crtlist.cfg configuration: cert2.pem *.dom2 strict-sni -> cert2.pem is a wildcard certificate for dom2.com (*.dom2.com) cert3.pem www.dom3.com strict-sni -> cert3.pem is a single host certificate www.dom3.com cert1.pem [ca-file ca1.pem ca-file ca2.pem verify optional] aaa.dom1.com strict-sni -> cert1.pem is a wildcard certificate for dom1.com (*.dom1.com) cert1.pem *.dom1.com strict-sni Now as mentioned all domain works fine without client certificates selection window popped up, but also for aaa.dom1.com no selection is presented to client. Roberto From: Emmanuel Hocdet [mailto:[email protected]] Sent: martedì 28 febbraio 2017 12.46 To: mlist <[email protected]>; [email protected] Subject: Re: Client Certificates need dedicated IP:443 bind Le 28 févr. 2017 à 11:29, mlist <[email protected]<mailto:[email protected]>> a écrit : I tried this config: . haproxy.conf: bind <IP1>:443 ssl crt-list /etc/haproxy/crt-list.txt . crtlist.cfg: <path>/cert1.pem [ca-file /<path>/ca1.pem ca-file /<path>/ca1.pem verify optional] <path>/cert2.pem <path>/cert3.pem but any request for any domain for any hostname pop-up on the client side client certificate selection window like this: <image003.jpg> also for domain not in cert1.pem (but in cert2.pem and cert3.pem) Also - what is the default certificate for not-SNI client if one use crt-list file instead of crt on bind line ? (without crt-list file is the first crt in the bind line) The default cert is always the first cert parsed. It’s cert1.pem in your configuration. The default cert is a source of errors because it's used in the SSL negotiation. The [ca-file <pem> verify optional] is also present in the SSL negotiation, the switch to the correct cert will not override it. => You must move the cert1.pem later in your configuration and let the default cert as neutral as possible. It’s a open problem with openssl. I have trying to create a neutral SSL context (without any certificat) before select the certificat, but openssl don’t like that. Without a real solution, this behaviour should be documented. - what if one need to discriminate between 2 hostname in the some domain ? (i.e. haproxy ask for client certificate only for request to aaa.dom1.com<http://aaa.dom1.com/>, but not for other hostname of dom1.com<http://dom1.com/>) ? You must used snifilter in crt-list file. With cert1 have CN/SAN dom1.com<http://dom1.com> and *.dom1.com<http://dom1.com> cert1.pem [ca-file <pem> verify optional] aaa.dom1.com<http://aaa.dom1.com> Only aaa.dom1.com<http://aaa.dom1.com> will be serve. you can also do: cert1.pem [ca-file <pem> verify optional] aaa.dom1.com<http://aaa.dom1.com> cert1.pem *.dom1.com<http://dom1.com> dom1.com<http://dom1.com> will be not serve and only aaa will require ca cert. You should also used 'strict-sni' in bind conf. Manu
