Re: Option "verify" incompatible with "crt-list"

2018-08-20 Thread Jean-Baptiste Berthelin 
Dear,

I just have upgraded to the last release of HAProxy 1.8 and it's good
working now.

Regards

Le 20/08/2018 à 13:39, Aleksandar Lazic a écrit :
> Hi.
>
> Am 20.08.2018 um 10:20 schrieb Jean-Baptiste Berthelin:
>> Hello,
>>
>> Since I have upgrade my Chrome webbrowser (Version 68.x), I always have a 
>> popup
>> to choose the client certificat when reaching a HAProxy frontend.
>>
>> After some tests, I only have this popup if :
>>  - a "personal" certificate is stored on the webbrowser,
>>  - and the bind instruction "verify" is set to "optional" or "required".
>>
>> It seems to be possible to define different options according to the SNI with
>> the "crl-file" parameter. The documentation says :
>>
>> This setting is only available when support for OpenSSL was built in. It
>> designates a list of PEM file with an optional ssl configuration and a SNI
>> filter per certificate, with the following format for each line :
>>
>>[\[ ...\]] [[!] ...]
>>
>> sslbindconf support "npn 
>> ", "alpn 
>> ", 
>> "verify", 
>> "ca-file", 
>> "no-ca-names
>> ",
>> crl-file", "ecdhe 
>> ", 
>> "curves 
>> ", 
>> "ciphers" 
>> configuration. With BoringSSL
>> and Openssl >= 1.1.1 
>> "ssl-min-ver"
>>  and 
>> "ssl-max-ver"
>>  are also supported.
>> It override the configuration set in bind line for the certificate.
>>
>> ~~~
>> In my side, I try with the following configuration without success :
>>
>> => frontend :
>>
>> bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list
>>
>> => avec /etc/haproxy/domain_crt_list :
>>
>> /etc/haproxy/domain-com.pem [verify optional] my.domain.com
>> /etc/haproxy/domain2-com.pem *.domain.com
>>
>> ~~~
>>
>> The certificate provided by the haproxy server is different according to the
>> SNI, but the "verify" option is not take in account.
>>
>> Is it a known bug or is there a workaround ?
> Which haproxy version do you use? haproxy -vv
> Do you get on both domains the popup or only on domain-com?
> Do you have any error message in the log or stdout?
> Does it help when you add [verify none] on domain2-com?
>
> I can't see any error or bug in the while loop in the function
> ssl_sock_load_cert_list_file but I'm not a c expert.
>
> http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/ssl_sock.c;hb=c1bfcd002f54d1d84a99282d13f875c2649f3d70#l3542
>
>> Best regards
>>
>> -- 
>>
>> *Jean-Baptiste Berthelin*
> Best regards
> aleks

Re: Option "verify" incompatible with "crt-list"

2018-08-20 Thread Aleksandar Lazic 
Hi.

Am 20.08.2018 um 10:20 schrieb Jean-Baptiste Berthelin:
> Hello,
> 
> Since I have upgrade my Chrome webbrowser (Version 68.x), I always have a 
> popup
> to choose the client certificat when reaching a HAProxy frontend.
> 
> After some tests, I only have this popup if :
>  - a "personal" certificate is stored on the webbrowser,
>  - and the bind instruction "verify" is set to "optional" or "required".
> 
> It seems to be possible to define different options according to the SNI with
> the "crl-file" parameter. The documentation says :
> 
> This setting is only available when support for OpenSSL was built in. It
> designates a list of PEM file with an optional ssl configuration and a SNI
> filter per certificate, with the following format for each line :
> 
>[\[ ...\]] [[!] ...]
> 
> sslbindconf support "npn 
> ", "alpn 
> ", 
> "verify", 
> "ca-file", 
> "no-ca-names
> ",
> crl-file", "ecdhe 
> ", 
> "curves 
> ", 
> "ciphers" 
> configuration. With BoringSSL
> and Openssl >= 1.1.1 
> "ssl-min-ver" 
> and 
> "ssl-max-ver" 
> are also supported.
> It override the configuration set in bind line for the certificate.
> 
> ~~~
> In my side, I try with the following configuration without success :
> 
> => frontend :
> 
> bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list
> 
> => avec /etc/haproxy/domain_crt_list :
> 
> /etc/haproxy/domain-com.pem [verify optional] my.domain.com
> /etc/haproxy/domain2-com.pem *.domain.com
> 
> ~~~
> 
> The certificate provided by the haproxy server is different according to the
> SNI, but the "verify" option is not take in account.
> 
> Is it a known bug or is there a workaround ?

Which haproxy version do you use? haproxy -vv
Do you get on both domains the popup or only on domain-com?
Do you have any error message in the log or stdout?
Does it help when you add [verify none] on domain2-com?

I can't see any error or bug in the while loop in the function
ssl_sock_load_cert_list_file but I'm not a c expert.

http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/ssl_sock.c;hb=c1bfcd002f54d1d84a99282d13f875c2649f3d70#l3542

> Best regards
> 
> -- 
> 
> *Jean-Baptiste Berthelin*

Best regards
aleks

Option "verify" incompatible with "crt-list"

2018-08-20 Thread Jean-Baptiste Berthelin 
Hello,

Since I have upgrade my Chrome webbrowser (Version 68.x), I always have
a popup to choose the client certificat when reaching a HAProxy frontend.

After some tests, I only have this popup if :
 - a "personal" certificate is stored on the webbrowser,
 - and the bind instruction "verify" is set to "optional" or "required".

It seems to be possible to define different options according to the SNI
with the "crl-file" parameter. The documentation says :

This setting is only available when support for OpenSSL was built in. It
designates a list of PEM file with an optional ssl configuration and a SNI
filter per certificate, with the following format for each line :

   [\[ ...\]] [[!] ...]

sslbindconf support "npn 
", "alpn 
", 
"verify", 
"ca-file", 
"no-ca-names
",
crl-file", "ecdhe 
", "curves
", 
"ciphers" 
configuration. With BoringSSL
and Openssl >= 1.1.1 
"ssl-min-ver" 
and 
"ssl-max-ver" 
are also supported.
It override the configuration set in bind line for the certificate.

~~~
In my side, I try with the following configuration without success :

=> frontend :

bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list

=> avec /etc/haproxy/domain_crt_list :

/etc/haproxy/domain-com.pem [verify optional] my.domain.com
/etc/haproxy/domain2-com.pem *.domain.com

~~~

The certificate provided by the haproxy server is different according to
the SNI, but the "verify" option is not take in account.

Is it a known bug or is there a workaround ?

Best regards

-- 

*Jean-Baptiste Berthelin*

Re: Option "verify" incompatible avec "crt-list"

2018-08-17 Thread Aleksandar Lazic 
Bonjour.

Sorry but I don't understand french so I will try to interpret you question.

Am 17.08.2018 um 17:40 schrieb Jean-Baptiste Berthelin:
> Bonjour,
> 
> Depuis les dernières versions de Chrome, nous avons désormais un message de
> sélection du certificat client en accédant à un frontend HAProxy, du fait
> d'avoir un certificat en place dans mon navigateur associé à l'instruction de
> bind : verify optional (ou required).
> 
> Il semble possible de pouvoir définir des options spécifiques en fonction du 
> SNI
> via le paramètre crl-file :
> 
> D'après la documentation :
> 
> This setting is only available when support for OpenSSL was built in. It
> designates a list of PEM file with an optional ssl configuration and a SNI
> filter per certificate, with the following format for each line :
> 
>[\[ ...\]] [[!] ...]
> 
> sslbindconf support "npn 
> ", "alpn 
> ", 
> "verify", 
> "ca-file", 
> "no-ca-names
> ",
> crl-file", "ecdhe 
> ", 
> "curves 
> ", 
> "ciphers" 
> configuration. With BoringSSL
> and Openssl >= 1.1.1 
> "ssl-min-ver" 
> and 
> "ssl-max-ver" 
> are also supported.
> It override the configuration set in bind line for the certificate.
> 
> ~~~
> La configuration en place est la suivante :
> 
> => frontend :
> 
> bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list
> 
> => avec /etc/haproxy/domain_crt_list :
> 
> /etc/haproxy/domain-com.pem [verify optional] my.domain.com

can you try to add \ before [ & ]

for example:
/etc/haproxy/domain-com.pem \[verify optional\] my.domain.com

> /etc/haproxy/domain2-com.pem *.domain.com
> 
> ~~~
> 
> Le certificat présenté par le serveur est bien différent selon le SNI, mais
> l'option "verify" ne semble pas interprétée.
> 
> Cordialement
> 
> -- 
> 
> *Jean-Baptiste Berthelin*

Best regards
Aleks

Option "verify" incompatible avec "crt-list"

2018-08-17 Thread Jean-Baptiste Berthelin 
Bonjour,

Depuis les dernières versions de Chrome, nous avons désormais un message
de sélection du certificat client en accédant à un frontend HAProxy, du
fait d'avoir un certificat en place dans mon navigateur associé à
l'instruction de bind : verify optional (ou required).

Il semble possible de pouvoir définir des options spécifiques en
fonction du SNI via le paramètre crl-file :

D'après la documentation :

This setting is only available when support for OpenSSL was built in. It
designates a list of PEM file with an optional ssl configuration and a SNI
filter per certificate, with the following format for each line :

   [\[ ...\]] [[!] ...]

sslbindconf support "npn 
", "alpn 
", 
"verify", 
"ca-file", 
"no-ca-names
",
crl-file", "ecdhe 
", "curves
", 
"ciphers" 
configuration. With BoringSSL
and Openssl >= 1.1.1 
"ssl-min-ver" 
and 
"ssl-max-ver" 
are also supported.
It override the configuration set in bind line for the certificate.

~~~
La configuration en place est la suivante :

=> frontend :

bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list

=> avec /etc/haproxy/domain_crt_list :

/etc/haproxy/domain-com.pem [verify optional] my.domain.com
/etc/haproxy/domain2-com.pem *.domain.com

~~~

Le certificat présenté par le serveur est bien différent selon le SNI,
mais l'option "verify" ne semble pas interprétée.

Cordialement

-- 

*Jean-Baptiste Berthelin*