Hi HAProxy list
Just thought I'd resend this report from May in case it was missed.
If it's a non-issue, I apologise.
Regards
Warren
At 15:47 2018/05/22, Warren Rohner wrote:
Hi HAProxy list
We use an HAProxy 1.7.11 instance to terminate SSL and load balance
100+ websites.
The simplified bind line below specifies a default cert (i.e.
secure.example.com.pem) as required in this HAProxy version, and a
directory path to all other certs (i.e. ./):
bind 127.0.0.1:443 ssl crt secure.example.com.pem crt ./
This configuration works as expected. HAProxy finds all certs and
the correct one is used when TLS SNI extension is provided. For
example, visiting https://secure.example.com/ and
https://www.example.com/ (with SNI capable web browser) both work perfectly.
The other day I inadvertently appended a trailing dot to the
hostname for one of our sites (e.g. https://www.example.com.), and
when I did this HAProxy returned the default cert to the browser
rather than the expected cert for that particular site. I'm not
certain, but could this be a possible bug in the HAProxy code that
matches servername provided by browser's TLS SNI extension against
all loaded certificates?
As a further example of problem, I note that the issue can be
reproduced on the haproxy.org website as follows using OpenSSL client:
Works as expected, HAProxy returns correct cert for haproxy.org:
openssl s_client -connect www.haproxy.org:443 -servername www.haproxy.org
With trailing dot on servername, HAProxy returns what I think is the
default cert (an invalid StarrCom-issued cert for formilux.org):
openssl s_client -connect www.haproxy.org:443 -servername www.haproxy.org.
Please let me know if I should provide any further information.
Regards
Warren