Hello HAproxy community! We’ve recently updated from OpenSSL 1.1.1 to OpenSSL 3.0 for our HAproxy deployment.
We are now seeing some client certificates getting denied with these error messages: “SSL client CA chain cannot be verified”/“error:0A000086:SSL routines::certificate verify failed” 30/000000000A000086 We found out that for this CA certificate, the error was X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER This error is only thrown if we run openssl verify with the “-x509_strict” option. The same call (even with the “-x509_strict” option) on OpenSSL 1.1.1 returned OK and verified. As this was a bit surprising to us and we now have a customer who can’t use their client certificate anymore, we wanted to ask for some details on the OpenSSL verify check in HAproxy: * How does HAproxy call the “verify” command in OpenSSL? * Does HAproxy use the “x509_strict” option programmatically? * Is there a flag in HAproxy that would allow us to temporarily disable the “strict” setting so that the customer has time to update their PKI? * If there is no flag, we could temporarily patch out the code that uses the flag, can you give us some pointers? Thanks a lot for your help! Dominik Froehlich, SAP
