Hi!
From the (1.6) configuration documentation I understand that for the “crt” bind option all files in a directory will be read in alphabetical order (exclusions through reserved extensions notwithstanding).
It goes on to say
> The certificates will be presented to clients who provide a
> valid TLS Server Name Indication field matching one of their CN or alt
> subjects. Wildcards are supported, where a wildcard character '*' is used
> instead of the first hostname component […]
I am wondering what the precedence is if there are two certificates matching a particular domain.
Say I have two certificates available, one wildcard, and one Extended Validation cert, named like this:
cert_001.wildcard.mydomain.com.pem
cert_002.www.mydomain.crt.pem
and a configuration like this
> frontend web_ssl-sni-based
> bind 192.168.205.7:452 ssl crt /etc/haproxy/ssl/
Am I correct to assume (unfortunately I cannot try this out right now) that if a request comes in for “www.mydomain.com” it will get served with the wildcard certificate, because that one sorts first by filename? Or is there some precedence implementation that would prefer the more specific cert where the domain actually matches one of the the CN / SAN fields?
Thanks,
Daniel
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schneller@centerdevice.de | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431
From the (1.6) configuration documentation I understand that for the “crt” bind option all files in a directory will be read in alphabetical order (exclusions through reserved extensions notwithstanding).
It goes on to say
> The certificates will be presented to clients who provide a
> valid TLS Server Name Indication field matching one of their CN or alt
> subjects. Wildcards are supported, where a wildcard character '*' is used
> instead of the first hostname component […]
I am wondering what the precedence is if there are two certificates matching a particular domain.
Say I have two certificates available, one wildcard, and one Extended Validation cert, named like this:
cert_001.wildcard.mydomain.com.pem
cert_002.www.mydomain.crt.pem
and a configuration like this
> frontend web_ssl-sni-based
> bind 192.168.205.7:452 ssl crt /etc/haproxy/ssl/
Am I correct to assume (unfortunately I cannot try this out right now) that if a request comes in for “www.mydomain.com” it will get served with the wildcard certificate, because that one sorts first by filename? Or is there some precedence implementation that would prefer the more specific cert where the domain actually matches one of the the CN / SAN fields?
Thanks,
Daniel
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schneller@centerdevice.de | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431