> Le 28 févr. 2017 à 13:38, mlist <[email protected]> a écrit : > > >>> The default cert is always the first cert parsed. It’s cert1.pem in your > >>> configuration. > >>> The default cert is a source of errors because it's used in the SSL > >>> negotiation. > >>> The [ca-file <pem> verify optional] is also present in the SSL > >>> negotiation, the switch to the correct cert will not override it. > >>> => You must move the cert1.pem later in your configuration and let the > >>> default cert as neutral as possible. > > >>> It’s a open problem with openssl. I have trying to create a neutral SSL > >>> context (without any certificat) before select the certificat, but > >>> openssl don’t like that. > >>> Without a real solution, this behaviour should be documented. > > Ok. This is actually a problem as we need to use default not-SNI wildcard > certificate also for client certificate > selection request case, based on some hostname only. So as now we have to > change domain for these hostnames > or use separate IP bindings, at moment seems to be the simple viable solution. > > >>>>>> what if one need to discriminate between 2 hostname in the some domain > >>>>>> ? (i.e. haproxy ask for client certificate only for request to > >>>>>> aaa.dom1.com <http://aaa.dom1.com/>, but not for other hostname of > >>>>>> dom1.com <http://dom1.com/>) ? > >>> You must used snifilter in crt-list file. With cert1 have CN/SAN > >>> dom1.com <http://dom1.com/> and *.dom1.com <http://dom1.com/> > >>> cert1.pem [ca-file <pem> verify optional] aaa.dom1.com > >>> <http://aaa.dom1.com/> > >>> Only aaa.dom1.com <http://aaa.dom1.com/> will be serve. > > >>> you can also do: > >>> cert1.pem [ca-file <pem> verify optional] aaa.dom1.com > >>> <http://aaa.dom1.com/> > >>> cert1.pem *.dom1.com <http://dom1.com/> > >>> dom1.com <http://dom1.com/> will be not serve and only aaa will require > >>> ca cert. > >>> You should also used 'strict-sni' in bind conf. > > To test your solution, I tried to move cert1.pem later in crtlist.cfg file > but if doing so, client certificate selection window is no more presented > also using strict-sni. cert1.pem is a wildcard certificate for *.dom1.com > <http://dom1.com/> (see below), is this a problem if the cert1 is not default > ? >
I have false positives with my basic tests for ca-file.. i reproduce this behavior now. ca-file in per-certificate configuration is more complicated than expected. The current implementation does not work. I need to look at it. > This is the new crtlist.cfg configuration: > > cert2.pem *.dom2 strict-sni -> cert2.pem is a wildcard > certificate for dom2.com <http://dom2.com/> (*.dom2.com <http://dom2.com/>) > cert3.pem www.dom3.com <http://www.dom3.com/> strict-sni -> cert3.pem is > a single host certificate www.dom3.com <http://www.dom3.com/> > cert1.pem [ca-file ca1.pem ca-file ca2.pem verify optional] aaa.dom1.com > <http://aaa.dom1.com/> strict-sni -> cert1.pem is a wildcard certificate > for dom1.com <http://dom1.com/> (*.dom1.com <http://dom1.com/>) > cert1.pem *.dom1.com <http://dom1.com/> strict-sni > > Now as mentioned all domain works fine without client certificates selection > window popped up, > but also for aaa.dom1.com <http://aaa.dom1.com/> no selection is presented to > client. > > strict-sni is only for bind line, you must not use it in sni-filter. You need default certificat for no-SNI, don’t use strict-sni. Manu
