subject:"Refuse connection if no certificate match"

Re: Refuse connection if no certificate match

2016-06-22 Thread Holger Just

Hi Olivier,

Olivier Doucet wrote:
> Is there a way to not present the first loaded certificate and refuse
> connection instead ?

You can use the strict-sni argument on the bind line to force the client
to speak SNI and refuse the TLS handshake otherwise.

See the documentation for details at

http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-strict-sni

--Holger

Refuse connection if no certificate match

2016-06-22 Thread Olivier Doucet

Hello,

I'm actually using HTTPS/SNI on HAProxy 1.6

Documentation states the following :

"If no SNI is provided by the client or if the SSL library does not support
TLS extensions, or if the client provides an SNI hostname which does not
match any certificate, then the first loaded certificate will be presented."

Is there a way to not present the first loaded certificate and refuse
connection instead ?
I understand that it will also block non-compatible SNI client, but this is
the behaviour one customer is asking ...

Olivier

Re: Refuse connection if no certificate match

Refuse connection if no certificate match

2 matches

Site Navigation

Mail list logo

Footer information