Hello, list.
In HAproxy 1.7.9 a frontend authenticates clients via SSL certificate
...
bind 1.1.1.1:2222 ssl crt /etc/ssl/private/XXX.pem force-tlsv12
ca-file /etc/ssl/YYY.pem verify required
...
Is there a way to deny the access to some certificates without using a
certificate revocation list?
I am trying with ACLs like
acl revoked_cert ssl_c_serial,hex 0x25
or
acl revoked_cert ssl_c_sha1,hex
0xFC481501DB98290C5E9B22530D2CA73EB36E76C5
and then
tcp-request session reject if revoked_cert
but the connections still work. I suspect that the ACL are incorrect.
The numbers come from the certificate that I want to reject
$ openssl x509 -in BADCERT.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 37 (0x25)
[...]
$ openssl x509 -in BADCERT.crt -fingerprint
SHA1
Fingerprint=FC:48:15:01:DB:98:29:0C:5E:9B:22:53:0D:2C:A7:3E:B3:6E:76:C5
[...]
If the error correction is trivial, can someone please tell me what I am
doing wrong?
Is there some documentation specific to this, maybe with some working
examples?
Thank you
.marcoc
