Re: SSL Termination or Passthrough

Damn. I shouldn't respond to questions after midnight :-(. I completely overread this is about client certificates until now. Sorry for missing that, Sam; and thanks Willy for the interesting link. One question comes up for me though, after reading it (unless I am still not awake enough, in

Re: SSL Termination or Passthrough

On Fri, Feb 17, 2017 at 07:20:14PM -0500, Sam Crowell wrote: > Thanks for the response Daniel. What is the best way to handle SSL traffic > through a load balancer to maintain original client certificates? Just use > mode TCP and passthrough? Is there a way to do that without turning off >

Re: SSL Termination or Passthrough

Thanks a lot of the help. Sam On February 17, 2017 at 7:55:05 PM, Daniel Schneller ( daniel.schnel...@centerdevice.com) wrote: You should be able to configure haproxy in TCP mode and have it appear transparent, without the clients complaining. You won't be able to do anything on the http level,

Re: SSL Termination or Passthrough

You should be able to configure haproxy in TCP mode and have it appear transparent, without the clients complaining. You won't be able to do anything on the http level, of course, but passing encrypted streams back and forth is a completely valid use case. Just keep anything TLS out of the

Re: SSL Termination or Passthrough

I guess it’s probably the same answer, it’s working as intended and even with passthrough the load balancer certificate does not match the backend server so it still throws the warning which makes sense. On February 17, 2017 at 7:20:14 PM, Sam Crowell (crowes...@gmail.com) wrote: Thanks for the

Re: SSL Termination or Passthrough

Thanks for the response Daniel. What is the best way to handle SSL traffic through a load balancer to maintain original client certificates? Just use mode TCP and passthrough? Is there a way to do that without turning off hostname verifier at the client level? Thanks, Sam On February 17, 2017

Re: SSL Termination or Passthrough

Sam, This not working the way you would like is the corner stone and one of the key features of TLS. It is designed to ensure there is nothing in the middle between the client and the server. If you need to inspect the traffic, by definition you cannot without the clients trusting your

SSL Termination or Passthrough

Is there a way to do SSL termination at the load balancer, but then send the original certificate to the backend server? I have seen plenty of notes and configs for SSL passthrough and SSL termination with re-encryption by the load balancer certificate. Even with passthrough, I still have to

Re: openssl-1.1 SNI callback causing client failures

Hi Roberto > Le 17 févr. 2017 à 01:27, Roberto Guimaraes a écrit : > > greetings, > > just a heads up that we’ve seen client breakage when using haproxy with > openssl-1.1 — dunno how far along you are concerning ossl1.1 usage, but it > has become very clear that

Re: Opinion about blog post of SPOE

Hi Christopher. Am 17-02-2017 10:41, schrieb Christopher Faulet: Le 16/02/2017 à 12:41, Aleksandar Lazic a écrit : Do you think that there will be also big changes in the protocol? No not really. The protocol should remain mostly unchanged. In fact, except new "capabilities", there are no

502 error when connection loopback to haproxy

Hi I am having a strange error when sending requests back to haproxy. The configuration is to have an additional layer of frontend/backend to generate a unique request id for every request then redirect back to haproxy to the real frontend. This works fine in the the beginning, but after several

Re: Opinion about blog post of SPOE

Le 16/02/2017 à 12:41, Aleksandar Lazic a écrit : Do you think that there will be also big changes in the protocol? No not really. The protocol should remain mostly unchanged. In fact, except new "capabilities", there are no big changes. And these capabilities will only influence how frames