Dear, I just have upgraded to the last release of HAProxy 1.8 and it's good working now.
Regards Le 20/08/2018 à 13:39, Aleksandar Lazic a écrit : > Hi. > > Am 20.08.2018 um 10:20 schrieb Jean-Baptiste Berthelin: >> Hello, >> >> Since I have upgrade my Chrome webbrowser (Version 68.x), I always have a >> popup >> to choose the client certificat when reaching a HAProxy frontend. >> >> After some tests, I only have this popup if : >> - a "personal" certificate is stored on the webbrowser, >> - and the bind instruction "verify" is set to "optional" or "required". >> >> It seems to be possible to define different options according to the SNI with >> the "crl-file" parameter. The documentation says : >> >> This setting is only available when support for OpenSSL was built in. It >> designates a list of PEM file with an optional ssl configuration and a SNI >> filter per certificate, with the following format for each line : >> >> <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...] >> >> sslbindconf support "npn >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#npn>", "alpn >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#alpn>", >> "verify<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", >> "ca-file<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", >> "no-ca-names >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#no-ca-names>", >> crl-file", "ecdhe >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ecdhe>", >> "curves >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#curves>", >> "ciphers<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" >> configuration. With BoringSSL >> and Openssl >= 1.1.1 >> "ssl-min-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" >> and >> "ssl-max-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" >> are also supported. >> It override the configuration set in bind line for the certificate. >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> In my side, I try with the following configuration without success : >> >> => frontend : >> >> bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list >> >> => avec /etc/haproxy/domain_crt_list : >> >> /etc/haproxy/domain-com.pem [verify optional] my.domain.com >> /etc/haproxy/domain2-com.pem *.domain.com >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> The certificate provided by the haproxy server is different according to the >> SNI, but the "verify" option is not take in account. >> >> Is it a known bug or is there a workaround ? > Which haproxy version do you use? haproxy -vv > Do you get on both domains the popup or only on domain-com? > Do you have any error message in the log or stdout? > Does it help when you add [verify none] on domain2-com? > > I can't see any error or bug in the while loop in the function > ssl_sock_load_cert_list_file but I'm not a c expert. > > http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/ssl_sock.c;hb=c1bfcd002f54d1d84a99282d13f875c2649f3d70#l3542 > >> Best regards >> >> -- >> >> *Jean-Baptiste Berthelin* > Best regards > aleks