Just my 2c, I very much support Kevin’s argument. Even though we are not (yet) verifying backends — because currently we _are_ in a private LAN — we are planning to deploy parts of our application to public cloud infrastructure soon, so it would be a quite important feature.
Regards, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711 | Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael Rosbach, Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, USt-IdNr.: DE-815299431 > On 6. May. 2017, at 19:18, Kevin McArthur <ke...@stormtide.ca> wrote: > > 1. The Snowden leaks and the whole "SSL added and removed here" issue, for > example. TLS on internal networks is more important these days due to local > network implants and other security issues on LANs. > > 2. Our use case is actually DigitalOcean where there is "private networking" > but it is shared among many customers. Operating without TLS on this > semi-private network would be unwise. > 3. Most of the public tutorials for re-encrypt bridged TLS are simply > incurring TLS overhead while providing no TLS security. (eg SSL on but, > verify none enabled, verifyhost not set, etc) > > 4. Use cases like CDN proxy of public servers. Think Cloudflare's Full SSL > (Strict) setup... > -- > > Kevin > On 2017-05-05 7:20 PM, Igor Cicimov wrote: >> >> >> On 6 May 2017 2:04 am, "Kevin McArthur" <ke...@stormtide.ca >> <mailto:ke...@stormtide.ca>> wrote: >> When doing tls->haproxy->tls (bridged https) re-encryption with SNI, we need >> to verify the backend certificate against the SNI value requested by the >> client. >> >> Something like server options: >> >> server app1 app1.example.ca:443 <http://app1.example.ca:443/> ssl no-sslv3 >> sni ssl_fc_sni verify required verifyhost ssl_fc_sni >> >> However, the "verifyhost ssl_fc_sni" part doesn't work at current. Is there >> any chance I could get this support patched in? >> >> Most folks seem to be either ignoring the backend server validation, setting >> verify none, or are stripping tls altogether leaving a pretty big security >> hole. >> Care to elaborate why is this a security hole if the backend servers are in >> internal LAN which usually is the case when terminating ssl on the proxy? >> >> -- >> >> Kevin McArthur >> >