Hi, On Mon, 2020-06-29 at 10:01 +0000, Stephane Martin (stepham2) wrote: > Hello, > > I’m trying to setup TLS mutual authentication using pinned certificates in > haproxy, ie. only accept a precise known certificate from the peer. > > It is definitively possible using ACL and ssl_c_sha1, so that the route > will only be accessible if the peer certificate has the right SHA1 > fingerprint. > > But sha1 usage is strongly not recommended for compliancy (you can > understand why...). > > In haproxy documentation I don't see any option to work with the sha256 > fingerprint of the peer certificate. > > - Is there any other way to get that ?
With haproxy 2.2(dev) this might work: ssl_c_der,digest(sha256),hex https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.1-digest https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.4-ssl_c_der And with haproxy 2.1: ssl_c_der,sha2,hex (https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#7.3.1-sha2) (I didn't test if these examples actually work). > - If it needs to be implemented in haproxy, would you have any clue where > to start ? (Backport digest from haproxy-2.2 to required version ?) -Jarno -- Jarno Huuskonen
