---------- Forwarded message ---------- From: Baptiste <bed...@gmail.com> Date: Sat, Apr 13, 2013 at 4:23 PM Subject: Re: Can't get client side certificate to work (repost) To: Lukas Tribus <luky...@hotmail.com> Cc: Thomas Dudziak <tom...@gmail.com>, "haproxy@formilux.org" <haproxy@formilux.org>
Hi Thomas, I could reproduce the issue and I could also find the fix. Your CA, server and client certificate can't have the same CN! Please update your certificate generation script like below: =========== export SUBJECT_CA='/C=US/ST=California/L=San Francisco/CN=CA' export SUBJECT_SERVER='/C=US/ST=California/L=San Francisco/CN=www.example.com' export SUBJECT_CLIENT1='/C=US/ST=California/L=San Francisco/CN=client1' # certificate authority creation openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "$SUBJECT_CA" # server certificate creation openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr -subj "$SUBJECT_SERVER" openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt # client certificate creation openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr -subj "$SUBJECT_CLIENT1" openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt cat server.crt server.key > server.pem sudo cp server.pem /etc/haproxy/server.pem sudo cp ca.crt /etc/haproxy/ca.crt ================ And it will work as expected: ================ curl -vk --key client.key --cert client.crt https://localhost:4443 * About to connect() to localhost port 4443 (#0) * Trying ::1... Connexion refusée * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 4443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS handshake, CERT verify (15): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES256-SHA * Server certificate: * subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=www.server.com * start date: 2013-04-13 14:16:56 GMT * expire date: 2014-04-13 14:16:56 GMT * common name: www.server.com (does not match 'localhost') * issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=CA * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET / HTTP/1.1 > User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o > zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 > Host: localhost:4443 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 503 Service Unavailable < Cache-Control: no-cache < Connection: close < Content-Type: text/html < <html><body><h1>503 Service Unavailable</h1> No server is available to handle this request. </body></html> * SSLv3, TLS alert, Client hello (1): * Closing connection #0 * SSLv3, TLS alert, Client hello (1): ================== Baptiste On Sat, Apr 13, 2013 at 9:20 AM, Baptiste <bed...@gmail.com> wrote: > Hi Tom, > > Sorry I did not have any time to answer you either on the blog or on > the ML. I'm very busy at works currently. > I'll have a look at your issue on Sunday and hopefully I'll find out the > issue. > That said, please give a try to Lukas advice :) > > Baptiste > > On Fri, Apr 12, 2013 at 8:15 PM, Lukas Tribus <luky...@hotmail.com> wrote: >> Hi Thomas, >> >> >> >>> I'm trying to follow this blog post: >>> http://blog.exceliance.fr/2012/10/03/ssl-client-certificate-management-at-application-level/, >>> but I can't get the client certificate to work with 1.5dev18. >> >> >> Could you try a few older releases, specifically dev12, 13 and 14 (which is >> around the time that blog post was written). >> >> I did not play with client side certificates yet, so I'm not sure how it >> works exactly, but testing older releases will help to understand whether >> this is a regression in haproxy or if we need to focus on things like >> certificate issues, etc. >> >> >> Cheers, >> Lukas