Re: ssl_c_sha256 ?

2020-06-29 Thread Stephane Martin (stepham2)
Perfect, thank you all. Classical choice between "upgrade" and "backport" now __ Le 29/06/2020 12:59, « Tim Düsterhus » a écrit : Stephane, Am 29.06.20 um 12:56 schrieb Stephane Martin (stepham2): > Thank you for your quick answers! > > So I understand that it is possible

Re: ssl_c_sha256 ?

2020-06-29 Thread Tim Düsterhus
Stephane, Am 29.06.20 um 12:56 schrieb Stephane Martin (stepham2): > Thank you for your quick answers! > > So I understand that it is possible for haproxy >= 2.1. For haproxy 2.0, got > to backport the sha2 filter, right ? That is correct. I expect the commit I linked to apply pretty seamlessly

Re: ssl_c_sha256 ?

2020-06-29 Thread Stephane Martin (stepham2)
sl_c_sha1 is simply a hash of the DER representation of the >> certificate. So you can just hash it with the sha2 converter: >> >> ssl_c_sha256,sha2(256) > > I think the first fetch should be ssl_c_der ? > (ssl_c_der,sha2(256)) >

Re: ssl_c_sha256 ?

2020-06-29 Thread Tim Düsterhus
Jarno, Am 29.06.20 um 12:46 schrieb Jarno Huuskonen: >> The ssl_c_sha1 is simply a hash of the DER representation of the >> certificate. So you can just hash it with the sha2 converter: >> >> ssl_c_sha256,sha2(256) > > I think the first fetch should be ssl

Re: ssl_c_sha256 ?

2020-06-29 Thread Jarno Huuskonen
; - Is there any other way to get that ? > > Yes, see this commit message: > https://github.com/haproxy/haproxy/commit/d4376302377e4f51f43a183c2c91d929b27e1ae3 > > The ssl_c_sha1 is simply a hash of the DER representation of the > certificate. So you can just hash it with the sha2

Re: ssl_c_sha256 ?

2020-06-29 Thread Jarno Huuskonen
Hi, On Mon, 2020-06-29 at 10:01 +, Stephane Martin (stepham2) wrote: > Hello, > > I’m trying to setup TLS mutual authentication using pinned certificates in > haproxy, ie. only accept a precise known certificate from the peer. > > It is definitively possible using ACL and ssl_c_sha1, so that

Re: ssl_c_sha256 ?

2020-06-29 Thread Tim Düsterhus
xy/haproxy/commit/d4376302377e4f51f43a183c2c91d929b27e1ae3 The ssl_c_sha1 is simply a hash of the DER representation of the certificate. So you can just hash it with the sha2 converter: ssl_c_sha256,sha2(256) Best regards Tim Düsterhus

ssl_c_sha256 ?

2020-06-29 Thread Stephane Martin (stepham2)
Hello, I’m trying to setup TLS mutual authentication using pinned certificates in haproxy, ie. only accept a precise known certificate from the peer. It is definitively possible using ACL and ssl_c_sha1, so that the route will only be accessible if the peer certificate has the right SHA1 finger