Hi,
Not sure if valid, and even if so, it might be minor and related to specific
use cases.
So, I've noticed that if in the same bind line we have a fallback cert followed
by more specific certs, or a directory containing those certs, haproxy still
adds the hosts of the fallback cert first, which also happens to be the
default one.
Even though I understand that the longest match will be honored, because
of the separate ebtrees, in case of any equal collision between the hosts in
the fallback cert and the more specific certs, the fallback cert will be served,
which is probably not desirable.
ex:
bind ..... crt foo-san.com foo.com
with both cotnaining *.foo.com
foo-san.com would be the cert served.
Same for fqdn collisions.
I have a small patch that merely saves the hosts of the default(fallback)
cert in a wordlist inside the bind_conf structure, and then inserts them last,
after all other certs of the config line have been processed.
With the change, haproxy consistently searches for the
non-default (fallback) certs first, and only serves the fallback if a more
specific match isn't found.
Any thoughts on whether this would be a positive change and/or
whether it's needed?
thanks,
roberto
Not sure if valid, and even if so, it might be minor and related to specific
use cases.
So, I've noticed that if in the same bind line we have a fallback cert followed
by more specific certs, or a directory containing those certs, haproxy still
adds the hosts of the fallback cert first, which also happens to be the
default one.
Even though I understand that the longest match will be honored, because
of the separate ebtrees, in case of any equal collision between the hosts in
the fallback cert and the more specific certs, the fallback cert will be served,
which is probably not desirable.
ex:
bind ..... crt foo-san.com foo.com
with both cotnaining *.foo.com
foo-san.com would be the cert served.
Same for fqdn collisions.
I have a small patch that merely saves the hosts of the default(fallback)
cert in a wordlist inside the bind_conf structure, and then inserts them last,
after all other certs of the config line have been processed.
With the change, haproxy consistently searches for the
non-default (fallback) certs first, and only serves the fallback if a more
specific match isn't found.
Any thoughts on whether this would be a positive change and/or
whether it's needed?
thanks,
roberto