Hello,
Am 08.05.2017 um 10:56 schrieb Daniel Schneller: > Just my 2c, I very much support Kevin’s argument. > Even though we are not (yet) verifying backends — because currently we > _are_ in a private LAN — we are planning to deploy parts of our > application to public cloud infrastructure soon, so it would be a > quite important feature. > >> On 6. May. 2017, at 19:18, Kevin McArthur <ke...@stormtide.ca >> <mailto:ke...@stormtide.ca>> wrote: >> >> 1. The Snowden leaks and the whole "SSL added and removed here" >> issue, for example. TLS on internal networks is more important these >> days due to local network implants and other security issues on LANs. >> >> 2. Our use case is actually DigitalOcean where there is "private >> networking" but it is shared among many customers. Operating without >> TLS on this semi-private network would be unwise. >> >> 3. Most of the public tutorials for re-encrypt bridged TLS are simply >> incurring TLS overhead while providing no TLS security. (eg SSL on >> but, verify none enabled, verifyhost not set, etc) >> >> 4. Use cases like CDN proxy of public servers. Think Cloudflare's >> Full SSL (Strict) setup... >> >> Haproxy can verify the certificate of backend TLS servers since day 1. The only thing missing is client SNI based backend certificate verification, which yes - since we can pass client SNI to the TLS server - we need to consider for the certificate verification process as well. Regards, Lukas
