On Mon, 16 Jul 2018 at 11:57, Martin RADEL <martin.ra...@rbinternational.com> wrote: > > Hi, > > I think we found the issue: > Seems that there was a misunderstanding from us regarding the haproxy > documentation with the "verifyhost" option. > > If I get it right, the documentation says that if we have a haproxy config > that > - Has "verify required" > - Does not use SNI > - Has no "verifyhost" > Then HAProxy will simply ignore whatever hostname the server sends back in > its certificate and the handshake will be OK.
Yes, that is correct, also see the verify docs: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-verify Not sure how we ended up in this situation though. I remember there was a vivid discussion about whether "verify" should default to none or required. We opted for "required", to be "secure by default", but this is totally useless given that it requires verifyhost or sni, and will silently disable cert verification when those option are not given. That's probably the worst thing we can do in this case; this configuration should be rejected, imho. People that don't care about cert verification should simply set "verify none". But here we are now, and this is documented behavior :( I think this was introduced in 2ab88675, maybe we can change this in 1.9. > Please can you confirm that our understanding of HAProxy documentation is > correct? > If so, then we could mark this topic as "solved" :-) Yes, but I don't understand, you reported that verification is not happening *with* verifyhost: > the connection to the backend works all the time, even when there is a name > mismatch and even if we use the “verify required” option together with > “verifyhost”. "verify required ssl verifyhost www.ham.eggs" fails as expected for you now, correct? Thanks, Lukas
