I had a look at your email domain :) I had some experience with SAP --> SSL communication, it turned out that SAP client disabled SNI by default (thus, if you haveSNI based ssl binding, you just hit wrong site).
so ... full config is really welcome. вт, 3 авг. 2021 г. в 13:41, Froehlich, Dominik <[email protected]>: > Hi, > > > > My question may have been a little misleading: > > To be clear: The HAproxy config is PEM only for both the server > certificate and the CA-file for client certificates. > > > > The issue is that the client uses a p7b binary certificate and chain to > connect to HAproxy. HAproxy then responds with a “unknown CA” error, even > though the root of the client certificate is part of the CA-file. > > > > That got me to think HAproxy maybe does not support clients using non-PEM > client certificates. But I could not find any source as to what is actually > supported. > > > > Best regards, > > D > > > > *From: *Илья Шипицин <[email protected]> > *Date: *Monday, 2. August 2021 at 20:14 > *To: *"Froehlich, Dominik" <[email protected]> > *Subject: *Re: Supported certificate formats? > > > > if you are familiar with Wireshark, I suggest to capture Client Hello <--> > Server Hello. > > certificates are displayed there, so you can see whether haproxy sends its > certificate (and chain) or not. > > > > > > my money would be on "if haproxy does not complain on config, so it loaded > it properly, including certificates" > > > > пн, 2 авг. 2021 г. в 17:28, Froehlich, Dominik <[email protected] > >: > > Hi, > > > > We have an issue with a client certificate in DER (binary) encoded PKCS7 > format (.p7b). > > The file contains the full certificate chain and the CA-file at HAproxy > matches the root CA of the chain, so it should work. > > > > However, the client connecting receives an “unknown CA” alert and HAproxy > says “SSL client certificate not trusted” > > > > My strong suspicion is that HAproxy only supports PEM (text) encoded CRT > format when connecting but I haven’t found a definitive source > > in the documentation. There are only examples using PEM so assume this is > the only supported format. > > > > Can someone confirm / deny this or point me to a list of supported formats > for certificates? > > > > Thanks a lot, > > Dominik > >
