> Le 4 mars 2017 à 15:03, mlist <[email protected]> a écrit : > >>>> For those first 3 points we don't need renegotiation. > >>>> Current implementation is buggy, but once we merge: >>>> "BUG/MEDIUM: ssl: fix verify/ca-file per certificate" > >>>> all those issues will be addressed, without complex workarounds or >>>> multiple IPs. > > For 2.Allow to have the default cert to use for non-SNI client for the > same domain used also for client certificate request > > I done a test that demonstrates a not working behavior. > Emmanuel write me why. See test case and Emmanuel answer: > > My test Case and question: > . haproxy.conf: > bind <IP1>:443 ssl crt-list /etc/haproxy/crt-list.txt > > . crtlist.cfg: > <path>/cert1.pem [ca-file /<path>/ca1.pem ca-file > /<path>/ca1.pem verify optional] > <path>/cert2.pem > <path>/cert3.pem > > but any request for any domain for any hostname pop-up > on the client side client certificate selection window > popup selection is presented to client also for domain > not in cert1.pem but in cert2.pem and cert3.pem. > Also: what is the default certificate for not-SNI > client if one use crt-list file instead of crt on bind line ? (without > crt-list file is the first crt in the bind line) > > Emmanuel answer: > The default cert is always the first cert parsed. It's > cert1.pem in your configuration. > The default cert is a source of errors because it's > used in the SSL negotiation. > The [ca-file <pem> verify optional] is also present in > the SSL negotiation, the switch to the correct cert will not override it. > => You must move the cert1.pem later in your > configuration and let the default cert as neutral as possible. > > It's a open problem with openssl. I have trying to > create a neutral SSL context (without any certificat) before select the > certificat, but openssl don't like that. > Without a real solution, this behaviour should be > documented. >
The fix is in last 1.8dev ( « BUG/MEDIUM: ssl: fix verify/ca-file per certificate » )
