On Mon, 16 Jul 2018 at 11:57, Martin RADEL
<martin.ra...@rbinternational.com> wrote:
>
> Hi,
>
> I think we found the issue:
> Seems that there was a misunderstanding from us regarding the haproxy 
> documentation with the "verifyhost" option.
>
> If I get it right, the documentation says that if we have a haproxy config 
> that
> - Has "verify required"
> - Does not use SNI
> - Has no "verifyhost"
> Then HAProxy will simply ignore whatever hostname the server sends back in 
> its certificate and the handshake will be OK.

Yes, that is correct, also see the verify docs:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-verify

Not sure how we ended up in this situation though. I remember there
was a vivid discussion about whether "verify" should default to none
or required. We opted for "required", to be "secure by default", but
this is totally useless given that it requires verifyhost or sni, and
will silently disable cert verification when those option are not
given. That's probably the worst thing we can do in this case; this
configuration should be rejected, imho. People that don't care about
cert verification should simply set "verify none". But here we are
now, and this is documented behavior :(

I think this was introduced in 2ab88675, maybe we can change this in 1.9.



> Please can you confirm that our understanding of HAProxy documentation is 
> correct?
> If so, then we could mark this topic as "solved" :-)

Yes, but I don't understand, you reported that verification is not
happening *with* verifyhost:

> the connection to the backend works all the time, even when there is a name 
> mismatch and even if we use the “verify required” option together with 
> “verifyhost”.


"verify required ssl verifyhost www.ham.eggs" fails as expected for
you now, correct?



Thanks,
Lukas

Reply via email to