Re: Haproxy + LDAPS+ SNI

2021-11-03 Thread Lukas Tribus
Hello Ben, On Wed, 3 Nov 2021 at 12:55, Ben Hart wrote: > > Thanks again Lukas! > So the server directive's use of a cert or CA file is only to > verify the identity of the server in question. No, "crt" (a certificate including private key) and "ca-file" (the public certificate of a CA) are two

Re: Haproxy + LDAPS+ SNI

2021-11-03 Thread Ben Hart
Thanks again Lukas! So the server directive's use of a cert or CA file is only to verify the identity of the server in question. So the SSL crt speciied in the frontend, does that secure only the connection to Haproxy or is it passed-through to the server connection as well? I might be misunder

Re: Haproxy + LDAPS+ SNI

2021-11-03 Thread Lukas Tribus
Hello Ben, On Wed, 3 Nov 2021 at 03:54, Ben Hart wrote: > > I wonder, can I ask if the server directives are correct insofar as > making a secured connection to the backend server entries? > > I'm told that HAP might be connecting by IP in which case the > SSL cert would be useless The document

Re: Haproxy + LDAPS+ SNI

2021-11-02 Thread Ben Hart
Oh nice.. Thanks for the second set of eyes Lukas. So funnily enough I was planning on doing a capture.. I just don’t have access to a system in that environment yet. So since I'm on the topic of the config syntax... I wonder, can I ask if the server directives are correct insofar as making a

Re: Haproxy + LDAPS+ SNI

2021-11-02 Thread Lukas Tribus
Hello, On Tue, 2 Nov 2021 at 21:24, Ben Hart wrote: > > In the config (pasted here > https://0bin.net/paste/1aOh1F4y#qStfT0m0mER3rhI3DonDbCsr0NRmVuH9XiwvagEkAiE) > My questions surround the syntax of the config file.. Most likely those clients don't send SNI. Capture the SSL handshake and ver

Haproxy + LDAPS+ SNI

2021-11-02 Thread Ben Hart
Hey all! So I’m setting up.. or have setup rather.. a few new production load balancer servers to be used for handling LDAPS connections. Anyway last week I encountered some client requests that were directed at ldaps.domain.com:636 and were given the wrong SSL cert. In the config (pasted her