On Tue, May 09, 2017 at 12:12:42AM +0200, Lukas Tribus wrote: > Haproxy can verify the certificate of backend TLS servers since day 1. > > The only thing missing is client SNI based backend certificate > verification, which yes - since we can pass client SNI to the TLS server > - we need to consider for the certificate verification process as well.
In fact the cert name is checked, it's just that it can only check against a constant in the configuration. I agree that it's a problem when using SNI. Furthermore it forces one to completely disable verifyhost in case SNI is used. I tend to think that the best approach would be to always enable it when SNI is involved in fact, because if SNI is used to the server, it really means we want to check what cert is provided. This could then possibly be explicitly turned off by the "verify none" directive. I have absolutely no idea how to do that however, I don't know if we can retrieve the previously configured SNI using openssl's API after the connection is established. Willy
