Hi,
I think we found the issue:
Seems that there was a misunderstanding from us regarding the haproxy
documentation with the "verifyhost" option.
If I get it right, the documentation says that if we have a haproxy config that
- Has "verify required"
- Does not use SNI
- Has no "verifyhost"
Then HAProxy will simply ignore whatever hostname the server sends back in its
certificate and the handshake will be OK.
If the "verifyhost" option is set and it does match the pattern, SSL handshake
will also be OK.
If the "verifyhost" option is set and it does not match the pattern, SSL
handshake will fail.
We tested this with two different HAProxy configs now and I can confirm that
it's exactly like that.
(Server is always presenting the same certificate with "*.foo.bar" in it's
common name / subject)
TESTBACKEND1 config (WORKING) looks like this:
# --- TESTBACKEND1
backend TESTBACKEND1
option forwardfor except 127.0.0.0/8
server TESTBACKEND1-server 10.1.1.1:443 check inter 30s verify required
ssl verifyhost www.foo.bar ca-file
/etc/haproxy/certs/backend-ca-certificates.crt crt
/etc/haproxy/certs/frontend-server-certificate.pem
TESTBACKEND2 config (NOT WORKING) looks like this:
# --- TESTBACKEND2
backend TESTBACKEND2
option forwardfor except 127.0.0.0/8
server TESTBACKEND2-server 10.1.1.1:443 check inter 30s verify required
ssl verifyhost www.ham.eggs ca-file
/etc/haproxy/certs/backend-ca-certificates.crt crt
/etc/haproxy/certs/frontend-server-certificate.pem
Please can you confirm that our understanding of HAProxy documentation is
correct?
If so, then we could mark this topic as "solved" :-)
BR
Martin
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Samstag, 14. Juli 2018 11:35
To: Martin RADEL <[email protected]>
Cc: [email protected]
Subject: Re: TLS handshake works with certificate name mismatch using "verify
required" and "verifyhost"
Hello Martin,
> we have a strange situation with our HAProxy, running on Version 1.8.8 with
> OpenSSL.
Please share the output of haproxy -vv. Did you build openssl yourself or is
this a distribution provided openssl lib? I am asking because build issues can
lead to very strange behavior.
> server BACKEND1-server 10.1.1.1:443 check inter 30s verify required
> ssl verifyhost *.foo.bar
*.foo.bar is not a valid hostname. It is a valid wildcard representation in a
cert's SAN, yes, but not a hostname. Use real hostname for verifyhost instead,
like www.foo.bar
Also, lets confirm the backend is really configured as per expectations, by
running requests via curl from the haproxy box:
This should work:
curl -v --cacert /etc/haproxy/certs/backend-ca-certificates.crt
--resolve www.foo.bar:443:10.1.1.1 https://www.foo.bar/
This should fail:
curl -v --cacert /etc/haproxy/certs/backend-ca-certificates.crt
--resolve www.foo.fail:443:10.1.1.1 https://www.foo.bar/
cheers,
lukas
This message and any attachment ("the Message") are confidential. If you have
received the Message in error, please notify the sender immediately and delete
the Message from your system, any use of the Message is forbidden.
Correspondence via e-mail is primarily for information purposes. RBI neither
makes nor accepts legally binding statements via e-mail unless explicitly
agreed otherwise. Information pursuant to ยง 14 Austrian Companies Code:
Raiffeisen Bank International AG; Registered Office: Am Stadtpark 9, 1030
Vienna,Austria; Company Register Number: FN 122119m at the Commercial Court of
Vienna (Handelsgericht Wien).
