Project

General

Profile

Actions

Feature #8232

open

different ssl options based on the sni name

Added by Zoltan Beck about 7 years ago. Updated almost 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
12/22/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

We have a strange issue with one of our sites on https and Android/Chrome, based on our research and big help of Pi Ba, looks like we need a new feature of pfSense's HAProxy package. We want two or more domains on one ip:port with only one or a part of them using client certificate validation, so using different ssl options based on the SNI name. Probably the support for crt-list solves that.

So for example: we have two sites on https, let's say https://example1.com and https://example2.com and a self signed certificate authority.

The https://example1.com is publicly available.
The https://example2.com is available only if the user has a valid certificate signed by the self signed certificate authority and the certificate CN contains a specified username. I'm using for this a custom ACL: ssl_c_s_dn(cn) -m sub user1 user2 ... The username is the content of the certificate CN attribute.

In the current feature set of HAProxy package only one of the sites is working well at a time, https://example1.com is working from all platforms and https://example2.com certificate validation not. Or in reverse, https://example2.com certificate validation works but https://example1.com is not available from Android/Chrome.

Actions

Also available in: Atom PDF