Feature #8232
open
different ssl options based on the sni name
0%
Description
We have a strange issue with one of our sites on https and Android/Chrome, based on our research and big help of Pi Ba, looks like we need a new feature of pfSense's HAProxy package. We want two or more domains on one ip:port with only one or a part of them using client certificate validation, so using different ssl options based on the SNI name. Probably the support for crt-list solves that.
So for example: we have two sites on https, let's say https://example1.com and https://example2.com and a self signed certificate authority.
The https://example1.com is publicly available.
The https://example2.com is available only if the user has a valid certificate signed by the self signed certificate authority and the certificate CN contains a specified username. I'm using for this a custom ACL: ssl_c_s_dn(cn) -m sub user1 user2 ... The username is the content of the certificate CN attribute.
In the current feature set of HAProxy package only one of the sites is working well at a time, https://example1.com is working from all platforms and https://example2.com certificate validation not. Or in reverse, https://example2.com certificate validation works but https://example1.com is not available from Android/Chrome.
Updated by 
Updated by 
Updated by