Feature #8232
open
different ssl options based on the sni name
0%
Description
We have a strange issue with one of our sites on https and Android/Chrome, based on our research and big help of Pi Ba, looks like we need a new feature of pfSense's HAProxy package. We want two or more domains on one ip:port with only one or a part of them using client certificate validation, so using different ssl options based on the SNI name. Probably the support for crt-list solves that.
So for example: we have two sites on https, let's say https://example1.com and https://example2.com and a self signed certificate authority.
The https://example1.com is publicly available.
The https://example2.com is available only if the user has a valid certificate signed by the self signed certificate authority and the certificate CN contains a specified username. I'm using for this a custom ACL: ssl_c_s_dn(cn) -m sub user1 user2 ... The username is the content of the certificate CN attribute.
In the current feature set of HAProxy package only one of the sites is working well at a time, https://example1.com is working from all platforms and https://example2.com certificate validation not. Or in reverse, https://example2.com certificate validation works but https://example1.com is not available from Android/Chrome.
Updated by Pi Ba over 6 years ago
Can you try and test https://github.com/pfsense/FreeBSD-ports/pull/491 ?
It should allow crt-list to be used. This should allow secondary frontends to perform client certificate validation while not asking for it on the primary.
Updated by Zoltan Beck over 6 years ago
Can you please give us steps how to install this version on pfsense 2.4.2-RELEASE-p1?
Updated by Pi Ba over 6 years ago
Patches are based on top of haproxy-devel package 0.54_2 to apply them do the following:
-Install 'System Patches' package from the System\PackageManager menu.
-Then from System\Patches menu use "Add New Patch" button and fill in:
Name: HaproxyPatch1
URL: https://github.com/pfsense/FreeBSD-ports/pull/491/commits/d1a0ce62e15f840f1232630d5f845c26aff1626f.patch
PathStripCount: 4
Save that, then press Fetch. After that it should then show an 'Apply' button, press that.
(the 2nd commit in the pull-request only is a version bump so can be skipped..)
-After that add also the the 3rd commit "Add New patch":
Name: HaproxyPatch2
URL: https://github.com/pfsense/FreeBSD-ports/pull/491/commits/9c0d6d0bc0c5e6f66300ad2848f8d8de13d6c519.patch
PathStripCount: 4
Save that, then press Fetch. After that it should then show an 'Apply' button, press that.
(If all fails, you should be able to press revert when the patches are applied, but if that dont work uninstall the haproxy package and reinstall it, and you will be back to 'normal'.)
With the patches applied haproxy can be reconfigured.. (these changes might get lost if the config gets saved again without these patches applied..)
The secondary frontend will have options to configure the client certificate CA.. Leave those empty on the Primary frontend.
Lemme know how it works out. :)
Updated by Zoltan Beck over 6 years ago
Thank you for your help, I installed as you mentioned. I don't know if it works as expected, but on every frontend I have the "SSL Offloading" section duplicated even on the primary or the shared ones and I have one section "SSL Offloading - client certificates". Is this correct? Why is two "SSL Offloading" section on every Frontend?
Updated by Pi Ba over 6 years ago
Ah um no sorry. Fix will be added shortly. p.s. are you on IRC #pfSense channel? on freenode Maybe we could talk there.
Updated by Pi Ba over 6 years ago
Added commit to remove the double section.
URL: https://github.com/pfsense/FreeBSD-ports/pull/491/commits/83ae379cdad1744cd86a1e384ae99aeaa4006c32.patch
Can add it as another patch just like before.
Updated by Zoltan Beck over 6 years ago
Much better, I'll start the functional testing!
Updated by Zoltan Beck over 5 years ago
Hi Pi Ba,
looks like this patch not work with the most recent version of pfsense 2.4.3 P1. Can you check please?Kind Regards,
Zoltan
Updated by cedric kopplin about 5 years ago
Hey Pi Ba
I got the same Problem. When will the Fix be upstreamd to the "Main Channel" of pfs?
Greetings
Cedric