Re: Option "verify" incompatible with "crt-list"
Dear, I just have upgraded to the last release of HAProxy 1.8 and it's good working now. Regards Le 20/08/2018 à 13:39, Aleksandar Lazic a écrit : > Hi. > > Am 20.08.2018 um 10:20 schrieb Jean-Baptiste Berthelin: >> Hello, >> >> Since I have upgrade my Chrome webbrowser (Version 68.x), I always have a >> popup >> to choose the client certificat when reaching a HAProxy frontend. >> >> After some tests, I only have this popup if : >> - a "personal" certificate is stored on the webbrowser, >> - and the bind instruction "verify" is set to "optional" or "required". >> >> It seems to be possible to define different options according to the SNI with >> the "crl-file" parameter. The documentation says : >> >> This setting is only available when support for OpenSSL was built in. It >> designates a list of PEM file with an optional ssl configuration and a SNI >> filter per certificate, with the following format for each line : >> >>[\[ ...\]] [[!] ...] >> >> sslbindconf support "npn >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#npn>", "alpn >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#alpn>", >> "verify<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", >> "ca-file<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", >> "no-ca-names >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#no-ca-names>", >> crl-file", "ecdhe >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ecdhe>", >> "curves >> <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#curves>", >> "ciphers<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" >> configuration. With BoringSSL >> and Openssl >= 1.1.1 >> "ssl-min-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" >> and >> "ssl-max-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" >> are also supported. >> It override the configuration set in bind line for the certificate. >> >> ~~~ >> In my side, I try with the following configuration without success : >> >> => frontend : >> >> bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list >> >> => avec /etc/haproxy/domain_crt_list : >> >> /etc/haproxy/domain-com.pem [verify optional] my.domain.com >> /etc/haproxy/domain2-com.pem *.domain.com >> >> ~~~ >> >> The certificate provided by the haproxy server is different according to the >> SNI, but the "verify" option is not take in account. >> >> Is it a known bug or is there a workaround ? > Which haproxy version do you use? haproxy -vv > Do you get on both domains the popup or only on domain-com? > Do you have any error message in the log or stdout? > Does it help when you add [verify none] on domain2-com? > > I can't see any error or bug in the while loop in the function > ssl_sock_load_cert_list_file but I'm not a c expert. > > http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/ssl_sock.c;hb=c1bfcd002f54d1d84a99282d13f875c2649f3d70#l3542 > >> Best regards >> >> -- >> >> *Jean-Baptiste Berthelin* > Best regards > aleks
Option "verify" incompatible with "crt-list"
Hello, Since I have upgrade my Chrome webbrowser (Version 68.x), I always have a popup to choose the client certificat when reaching a HAProxy frontend. After some tests, I only have this popup if : - a "personal" certificate is stored on the webbrowser, - and the bind instruction "verify" is set to "optional" or "required". It seems to be possible to define different options according to the SNI with the "crl-file" parameter. The documentation says : This setting is only available when support for OpenSSL was built in. It designates a list of PEM file with an optional ssl configuration and a SNI filter per certificate, with the following format for each line : [\[ ...\]] [[!] ...] sslbindconf support "npn <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#npn>", "alpn <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#alpn>", "verify<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", "ca-file<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", "no-ca-names <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#no-ca-names>", crl-file", "ecdhe <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ecdhe>", "curves <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#curves>", "ciphers<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" configuration. With BoringSSL and Openssl >= 1.1.1 "ssl-min-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" and "ssl-max-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" are also supported. It override the configuration set in bind line for the certificate. ~~~ In my side, I try with the following configuration without success : => frontend : bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list => avec /etc/haproxy/domain_crt_list : /etc/haproxy/domain-com.pem [verify optional] my.domain.com /etc/haproxy/domain2-com.pem *.domain.com ~~~~~~~ The certificate provided by the haproxy server is different according to the SNI, but the "verify" option is not take in account. Is it a known bug or is there a workaround ? Best regards -- *Jean-Baptiste Berthelin*
Option "verify" incompatible avec "crt-list"
Bonjour, Depuis les dernières versions de Chrome, nous avons désormais un message de sélection du certificat client en accédant à un frontend HAProxy, du fait d'avoir un certificat en place dans mon navigateur associé à l'instruction de bind : verify optional (ou required). Il semble possible de pouvoir définir des options spécifiques en fonction du SNI via le paramètre crl-file : D'après la documentation : This setting is only available when support for OpenSSL was built in. It designates a list of PEM file with an optional ssl configuration and a SNI filter per certificate, with the following format for each line : [\[ ...\]] [[!] ...] sslbindconf support "npn <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#npn>", "alpn <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#alpn>", "verify<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", "ca-file<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", "no-ca-names <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#no-ca-names>", crl-file", "ecdhe <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ecdhe>", "curves <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#curves>", "ciphers<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" configuration. With BoringSSL and Openssl >= 1.1.1 "ssl-min-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" and "ssl-max-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" are also supported. It override the configuration set in bind line for the certificate. ~~~ La configuration en place est la suivante : => frontend : bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list => avec /etc/haproxy/domain_crt_list : /etc/haproxy/domain-com.pem [verify optional] my.domain.com /etc/haproxy/domain2-com.pem *.domain.com ~~~~~~~ Le certificat présenté par le serveur est bien différent selon le SNI, mais l'option "verify" ne semble pas interprétée. Cordialement -- *Jean-Baptiste Berthelin*
