Show Posts
1
General Discussion / Re: HAProxy Client Certificate Authentication for specific backends
« on: August 23, 2022, 06:36:42 pm »
Hi all,
I'm trying to figure out the configuration provided to do the trick with "standard" published service without CERT client verification and "securized" service with CERT client verification.
It's working with CERT verification with condition match to custom ssl_c_used 1 and also with client CERT SSL CA verfication with Comon Name like " xxxx".
The fact is in both case, I'm not able to have :
- the standard published service working AND
- the securized service not working
When I put the Revokation list check in place in the public service backend, with the client CERT tag as revoked (compromised reason for instance)
When I test both of them (services) are broken with "ERR_BAD_SSL_CLIENT_AUTH_CERT" in the client browser and with "HTTPS-WAN-frontend/192.168.x.x:443: SSL client certificate not trusted" message in the haproxy logs.
Do you have an idea, how to manage this use case by securizing specific services and none of the standard service, and keeping the possibility to revoke a compromised client CERT used in specific service.
Thank you for your help.
I'm trying to figure out the configuration provided to do the trick with "standard" published service without CERT client verification and "securized" service with CERT client verification.
It's working with CERT verification with condition match to custom ssl_c_used 1 and also with client CERT SSL CA verfication with Comon Name like " xxxx".
The fact is in both case, I'm not able to have :
- the standard published service working AND
- the securized service not working
When I put the Revokation list check in place in the public service backend, with the client CERT tag as revoked (compromised reason for instance)
When I test both of them (services) are broken with "ERR_BAD_SSL_CLIENT_AUTH_CERT" in the client browser and with "HTTPS-WAN-frontend/192.168.x.x:443: SSL client certificate not trusted" message in the haproxy logs.
Do you have an idea, how to manage this use case by securizing specific services and none of the standard service, and keeping the possibility to revoke a compromised client CERT used in specific service.
Thank you for your help.