Re: ssl_c_sha256 ?
Perfect, thank you all. Classical choice between "upgrade" and "backport" now __ Le 29/06/2020 12:59, « Tim Düsterhus » a écrit : Stephane, Am 29.06.20 um 12:56 schrieb Stephane Martin (stepham2): > Thank you for your quick answers! > > So I understand that it is possible for haproxy >= 2.1. For haproxy 2.0, got to backport the sha2 filter, right ? That is correct. I expect the commit I linked to apply pretty seamlessly to HAProxy 2.0, it contains all you need. One small note: The correct terminology for "sha2 filter" is "sha2 converter". Best regards Tim Düsterhus
Re: ssl_c_sha256 ?
Thank you for your quick answers! So I understand that it is possible for haproxy >= 2.1. For haproxy 2.0, got to backport the sha2 filter, right ? Stephane Le 29/06/2020 12:54, « Tim Düsterhus » a écrit : Jarno, Am 29.06.20 um 12:46 schrieb Jarno Huuskonen: >> The ssl_c_sha1 is simply a hash of the DER representation of the >> certificate. So you can just hash it with the sha2 converter: >> >> ssl_c_sha256,sha2(256) > > I think the first fetch should be ssl_c_der ? > (ssl_c_der,sha2(256)) > You are right, of course. While adjusting the example from the commit message I replaced the 'der' instead of the 'f'. Best regards Tim Düsterhus
ssl_c_sha256 ?
Hello, I’m trying to setup TLS mutual authentication using pinned certificates in haproxy, ie. only accept a precise known certificate from the peer. It is definitively possible using ACL and ssl_c_sha1, so that the route will only be accessible if the peer certificate has the right SHA1 fingerprint. But sha1 usage is strongly not recommended for compliancy (you can understand why...). In haproxy documentation I don't see any option to work with the sha256 fingerprint of the peer certificate. - Is there any other way to get that ? - If it needs to be implemented in haproxy, would you have any clue where to start ? Kind regards, Stephane
