Perfect, thank you all. Classical choice between "upgrade" and "backport" now __
Le 29/06/2020 12:59, « Tim Düsterhus » a écrit :
Stephane,
Am 29.06.20 um 12:56 schrieb Stephane Martin (stepham2):
> Thank you for your quick answers!
>
> So I understand that it is possible
Stephane,
Am 29.06.20 um 12:56 schrieb Stephane Martin (stepham2):
> Thank you for your quick answers!
>
> So I understand that it is possible for haproxy >= 2.1. For haproxy 2.0, got
> to backport the sha2 filter, right ?
That is correct. I expect the commit I linked to apply pretty seamlessly
sl_c_sha1 is simply a hash of the DER representation of the
>> certificate. So you can just hash it with the sha2 converter:
>>
>> ssl_c_sha256,sha2(256)
>
> I think the first fetch should be ssl_c_der ?
> (ssl_c_der,sha2(256))
>
Jarno,
Am 29.06.20 um 12:46 schrieb Jarno Huuskonen:
>> The ssl_c_sha1 is simply a hash of the DER representation of the
>> certificate. So you can just hash it with the sha2 converter:
>>
>> ssl_c_sha256,sha2(256)
>
> I think the first fetch should be ssl
; - Is there any other way to get that ?
>
> Yes, see this commit message:
> https://github.com/haproxy/haproxy/commit/d4376302377e4f51f43a183c2c91d929b27e1ae3
>
> The ssl_c_sha1 is simply a hash of the DER representation of the
> certificate. So you can just hash it with the sha2
Hi,
On Mon, 2020-06-29 at 10:01 +, Stephane Martin (stepham2) wrote:
> Hello,
>
> I’m trying to setup TLS mutual authentication using pinned certificates in
> haproxy, ie. only accept a precise known certificate from the peer.
>
> It is definitively possible using ACL and ssl_c_sha1, so that
xy/haproxy/commit/d4376302377e4f51f43a183c2c91d929b27e1ae3
The ssl_c_sha1 is simply a hash of the DER representation of the
certificate. So you can just hash it with the sha2 converter:
ssl_c_sha256,sha2(256)
Best regards
Tim Düsterhus
Hello,
I’m trying to setup TLS mutual authentication using pinned certificates in
haproxy, ie. only accept a precise known certificate from the peer.
It is definitively possible using ACL and ssl_c_sha1, so that the route will
only be accessible if the peer certificate has the right SHA1 finger
8 matches
Mail list logo