Bug #7039
openHAProxy backend configuration does not handle intermediate CAs properly
0%
Description
In HAProxy backend settings, when configuring a server, there is the option to have it validate SSL certificates against a specific CA.
This works without a single problem with a standard root CA, but when needing to validate a certificate with an intermediate CA, this does not work anymore.
I had this surprise when switching certificates :- Before : simple PKI infrastructure with a root CA, and a server certificate made from it, it worked.
- After : complex PKI infrastructure with an offline root CA, an online intermediate CA, and a server certificate made from it, which results in a "SSL handshake failure" when checking the certificate.
Inspection of the configuration text file reveals that the backend server definition uses only the file containing the intermediate certificate authority.
Since this file does not include the root CA, obviously it can't do a complete verification of the trust chain, which would result in a SSL handshake failure.
On a separate note, when a certificate authority is affiliated to another certificate loaded in pfSense, the display is appropriate :
"CA: Intermediate CA (CA: ROOT CA)"
But it does not generate a combined chain file that should contain certificates for both CAs (Root + Intermediate), which would be the proper expected behavior.
As a workaround I have disabled the SSL certificate check for the time being.
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
PR has been merged. Thanks!
Updated by Dennis Neuhaeuser 6 months ago
almost 3 years later I have the same problem.
The PR does not seem to be in the current package versions (0.63_2).