Hi. Am 20.08.2018 um 10:20 schrieb Jean-Baptiste Berthelin: > Hello, > > Since I have upgrade my Chrome webbrowser (Version 68.x), I always have a > popup > to choose the client certificat when reaching a HAProxy frontend. > > After some tests, I only have this popup if : > - a "personal" certificate is stored on the webbrowser, > - and the bind instruction "verify" is set to "optional" or "required". > > It seems to be possible to define different options according to the SNI with > the "crl-file" parameter. The documentation says : > > This setting is only available when support for OpenSSL was built in. It > designates a list of PEM file with an optional ssl configuration and a SNI > filter per certificate, with the following format for each line : > > <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...] > > sslbindconf support "npn > <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#npn>", "alpn > <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#alpn>", > "verify<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", > "ca-file<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", > "no-ca-names > <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#no-ca-names>", > crl-file", "ecdhe > <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ecdhe>", > "curves > <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#curves>", > "ciphers<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" > configuration. With BoringSSL > and Openssl >= 1.1.1 > "ssl-min-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" > and > "ssl-max-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" > are also supported. > It override the configuration set in bind line for the certificate. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > In my side, I try with the following configuration without success : > > => frontend : > > bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list > > => avec /etc/haproxy/domain_crt_list : > > /etc/haproxy/domain-com.pem [verify optional] my.domain.com > /etc/haproxy/domain2-com.pem *.domain.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The certificate provided by the haproxy server is different according to the > SNI, but the "verify" option is not take in account. > > Is it a known bug or is there a workaround ?
Which haproxy version do you use? haproxy -vv Do you get on both domains the popup or only on domain-com? Do you have any error message in the log or stdout? Does it help when you add [verify none] on domain2-com? I can't see any error or bug in the while loop in the function ssl_sock_load_cert_list_file but I'm not a c expert. http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/ssl_sock.c;hb=c1bfcd002f54d1d84a99282d13f875c2649f3d70#l3542 > Best regards > > -- > > *Jean-Baptiste Berthelin* Best regards aleks
