Option "verify" incompatible with "crt-list"

Mon, 20 Aug 2018 01:20:52 -0700 

Hello,

Since I have upgrade my Chrome webbrowser (Version 68.x), I always have
a popup to choose the client certificat when reaching a HAProxy frontend.

After some tests, I only have this popup if :
 - a "personal" certificate is stored on the webbrowser,
 - and the bind instruction "verify" is set to "optional" or "required".

It seems to be possible to define different options according to the SNI
with the "crl-file" parameter. The documentation says :

This setting is only available when support for OpenSSL was built in. It
designates a list of PEM file with an optional ssl configuration and a SNI
filter per certificate, with the following format for each line :

      <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]

sslbindconf support "npn 
<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#npn>", "alpn 
<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#alpn>", 
"verify<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", 
"ca-file<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>", 
"no-ca-names
<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#no-ca-names>",
crl-file", "ecdhe 
<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ecdhe>", "curves
<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#curves>", 
"ciphers<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" 
configuration. With BoringSSL
and Openssl >= 1.1.1 
"ssl-min-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" 
and 
"ssl-max-ver<https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#>" 
are also supported.
It override the configuration set in bind line for the certificate.

~~~~~~~~~~~~~~~~~~~~~~~~~~~
In my side, I try with the following configuration without success :

=> frontend :

bind 0.0.0.0:443 ssl crt-list /etc/haproxy/domain_crt_list

=> avec /etc/haproxy/domain_crt_list :

/etc/haproxy/domain-com.pem [verify optional] my.domain.com
/etc/haproxy/domain2-com.pem *.domain.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~

The certificate provided by the haproxy server is different according to
the SNI, but the "verify" option is not take in account.

Is it a known bug or is there a workaround ?

Best regards

-- 

*Jean-Baptiste Berthelin*

Reply via email to