On Thu, Mar 26, 2020 at 02:39:03PM +0100, Emmanuel Hocdet wrote: > > > Le 26 mars 2020 à 14:11, Илья Шипицин <chipits...@gmail.com> a écrit : > > > > > > > > чт, 26 мар. 2020 г. в 17:27, Emmanuel Hocdet <m...@gandi.net > > <mailto:m...@gandi.net>>: > > > > > Le 26 mars 2020 à 13:02, Илья Шипицин <chipits...@gmail.com > > > <mailto:chipits...@gmail.com>> a écrit : > > > > > > RootCA is needed if you send cross certificate as well. > > > > > > It is very rare but legitimate case > > > > It’s only for self issued CA, it should be safe, right? > > > > I do not know what "yes" or "no" would mean :) > > > > by cross certificate I mean chain like that > > > > server cert --> intermediate CA --> root CA --> cross certificate > > > > https://knowledge.digicert.com/generalinformation/INFO2523.html > > <https://knowledge.digicert.com/generalinformation/INFO2523.html> > > > > root CA is self issued > > self issued CA is a root CA > Subject == Issuer > > In your example: > > Subject: C = US, O = "thawte, Inc.", OU = Certification Services Division, OU > = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root > CA > Issuer: C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, > OU = Certification Services Division, CN = Thawte Premium Server CA, > emailAddress = premium-ser...@thawte.com <mailto:premium-ser...@thawte.com>
After some thinking and discussing with people involved in this part of HAProxy. I'm not feeling very confortable with setting this behavior by default, on top on that the next version is an LTS so its not a good idea to change this behavior yet. I think in most case it won't be a problem but it would be better if it's enabled by an option in the global section. -- William Lallemand