Although HAProxy can verify the SSL certs of an SSL-enabled server against a CA chain, it currently doesn't check the actual hostname on the cert, meaning that it will accept any cert signed by any major CA (and thus can be man-in-the-middle'd simply by controlling DNS).
I've been working on a patch to allow specifying the hostname that a certificate must match. This allows you to specify "verifyhost <hostname>" as a parameter to a server statement, e.g. server google google.com:443 ssl verify required verifyhost google.com There's a bit of complexity in the code due to handling wildcard subjects and subjectAlternateNames, but it seems to work correctly in my testing. I've attached my current version of the patch. I wanted to offer it up for feedback on both the code itself and things like the name of the option before I wrote docs, etc. If the patch seems reasonable, I'm happy to write up the docs for it. Thanks, - Evan
0001-MINOR-ssl-Add-statement-verifyhost-to-server-stateme.patch
Description: Binary data
