Ok finally got around to testing this out today; running into a bit of
an issue with the new syntax.
What I'm trying to achieve is:
frontend www-https
bind :::443 v4v6 ssl crt /etc/haproxy/certs/www.example.org.pem crt
/etc/haproxy/certs/
backend www-backend-https
server ssl 10.0.0.1:443 ssl verify required verifyhost ssl_fc_sni
sni ssl_fc_sni check-ssl
The closest config format from your patch email is:
server ssl 127.0.0.1:8443 ssl verify required check inter 100 ca-file
rsa2048.pem *sni req.hdr(host)*
But that is reading the host header and passing it along (which isn't
the same as the SNI indication field per the protocol). The Host header
is user controlled and occurs after sni and tls validation -- I'd need
more time to play with exploiting this but I think you could use this to
send a different-than-checked host header to the inside server as if it
were the client SNI value. Translating an non-validated user header into
the tls protected sni field?
So what I need here is the ability to pass the clients' SNI value along
to the inside server.... I think this should be ssl_fc_sni ... but if i
try the above syntax it doesn't work right.
The following criteria should all be true:
1. The sni indication should match the clients stated host header.
(verifyhost = ssl_fc_sni)
2. The sni value should be passed along to the backend server. (sni =
ssl_fc_sni)
3. The client to the haproxy and backend could be SNI indicating any
domain name, but should be TLS terminated to a matching cert in
/etc/haproxy/certs, or hit the default cert.... and then both
verify=required and verifyhost=ssl_fc_sni should pass against the
backend server or an error should result.
I might just be missing something with the config here, but I don't
think the patch allows for passing along the actual ssl_fc_scni?
--
Kevin
On 2017-07-06 7:20 AM, Kevin McArthur wrote:
I'll see if I can give this a test. Thanks for adding it to master!
--
Kevin
On 2017-07-06 6:19 AM, Willy Tarreau wrote:
Hi again,
I finally merged it in master as commit 2ab8867, it will ease testing
(and a test file was provided).
Cheers,
Willy