Re: ssl_c_sha256 ?
Perfect, thank you all. Classical choice between "upgrade" and "backport" now __ Le 29/06/2020 12:59, « Tim Düsterhus » a écrit : Stephane, Am 29.06.20 um 12:56 schrieb Stephane Martin (stepham2): > Thank you for your quick answers! > > So I understand that it is possible for haproxy >= 2.1. For haproxy 2.0, got to backport the sha2 filter, right ? That is correct. I expect the commit I linked to apply pretty seamlessly to HAProxy 2.0, it contains all you need. One small note: The correct terminology for "sha2 filter" is "sha2 converter". Best regards Tim Düsterhus
Re: ssl_c_sha256 ?
Stephane, Am 29.06.20 um 12:56 schrieb Stephane Martin (stepham2): > Thank you for your quick answers! > > So I understand that it is possible for haproxy >= 2.1. For haproxy 2.0, got > to backport the sha2 filter, right ? That is correct. I expect the commit I linked to apply pretty seamlessly to HAProxy 2.0, it contains all you need. One small note: The correct terminology for "sha2 filter" is "sha2 converter". Best regards Tim Düsterhus
Re: ssl_c_sha256 ?
Thank you for your quick answers! So I understand that it is possible for haproxy >= 2.1. For haproxy 2.0, got to backport the sha2 filter, right ? Stephane Le 29/06/2020 12:54, « Tim Düsterhus » a écrit : Jarno, Am 29.06.20 um 12:46 schrieb Jarno Huuskonen: >> The ssl_c_sha1 is simply a hash of the DER representation of the >> certificate. So you can just hash it with the sha2 converter: >> >> ssl_c_sha256,sha2(256) > > I think the first fetch should be ssl_c_der ? > (ssl_c_der,sha2(256)) > You are right, of course. While adjusting the example from the commit message I replaced the 'der' instead of the 'f'. Best regards Tim Düsterhus
Re: ssl_c_sha256 ?
Jarno, Am 29.06.20 um 12:46 schrieb Jarno Huuskonen: >> The ssl_c_sha1 is simply a hash of the DER representation of the >> certificate. So you can just hash it with the sha2 converter: >> >> ssl_c_sha256,sha2(256) > > I think the first fetch should be ssl_c_der ? > (ssl_c_der,sha2(256)) > You are right, of course. While adjusting the example from the commit message I replaced the 'der' instead of the 'f'. Best regards Tim Düsterhus
Re: ssl_c_sha256 ?
Hi, On Mon, 2020-06-29 at 12:37 +0200, Tim Düsterhus wrote: > Stephane, > > Am 29.06.20 um 12:01 schrieb Stephane Martin (stepham2): > > In haproxy documentation I don't see any option to work with the sha256 > > fingerprint of the peer certificate. > > > > - Is there any other way to get that ? > > Yes, see this commit message: > https://github.com/haproxy/haproxy/commit/d4376302377e4f51f43a183c2c91d929b27e1ae3 > > The ssl_c_sha1 is simply a hash of the DER representation of the > certificate. So you can just hash it with the sha2 converter: > > ssl_c_sha256,sha2(256) I think the first fetch should be ssl_c_der ? (ssl_c_der,sha2(256)) -Jarno -- Jarno Huuskonen
Re: ssl_c_sha256 ?
Hi, On Mon, 2020-06-29 at 10:01 +, Stephane Martin (stepham2) wrote: > Hello, > > I’m trying to setup TLS mutual authentication using pinned certificates in > haproxy, ie. only accept a precise known certificate from the peer. > > It is definitively possible using ACL and ssl_c_sha1, so that the route > will only be accessible if the peer certificate has the right SHA1 > fingerprint. > > But sha1 usage is strongly not recommended for compliancy (you can > understand why...). > > In haproxy documentation I don't see any option to work with the sha256 > fingerprint of the peer certificate. > > - Is there any other way to get that ? With haproxy 2.2(dev) this might work: ssl_c_der,digest(sha256),hex https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.1-digest https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.4-ssl_c_der And with haproxy 2.1: ssl_c_der,sha2,hex (https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#7.3.1-sha2) (I didn't test if these examples actually work). > - If it needs to be implemented in haproxy, would you have any clue where > to start ? (Backport digest from haproxy-2.2 to required version ?) -Jarno -- Jarno Huuskonen
Re: ssl_c_sha256 ?
Stephane, Am 29.06.20 um 12:01 schrieb Stephane Martin (stepham2): > In haproxy documentation I don't see any option to work with the sha256 > fingerprint of the peer certificate. > > - Is there any other way to get that ? Yes, see this commit message: https://github.com/haproxy/haproxy/commit/d4376302377e4f51f43a183c2c91d929b27e1ae3 The ssl_c_sha1 is simply a hash of the DER representation of the certificate. So you can just hash it with the sha2 converter: ssl_c_sha256,sha2(256) Best regards Tim Düsterhus
ssl_c_sha256 ?
Hello, I’m trying to setup TLS mutual authentication using pinned certificates in haproxy, ie. only accept a precise known certificate from the peer. It is definitively possible using ACL and ssl_c_sha1, so that the route will only be accessible if the peer certificate has the right SHA1 fingerprint. But sha1 usage is strongly not recommended for compliancy (you can understand why...). In haproxy documentation I don't see any option to work with the sha256 fingerprint of the peer certificate. - Is there any other way to get that ? - If it needs to be implemented in haproxy, would you have any clue where to start ? Kind regards, Stephane