When doing tls->haproxy->tls (bridged https) re-encryption with SNI, we
need to verify the backend certificate against the SNI value requested
by the client.
Something like server options:
server app1 app1.example.ca:443 ssl no-sslv3 sni ssl_fc_sni verify
required verifyhost ssl_fc_sni
However, the "verifyhost ssl_fc_sni" part doesn't work at current. Is
there any chance I could get this support patched in?
Most folks seem to be either ignoring the backend server validation,
setting verify none, or are stripping tls altogether leaving a pretty
big security hole.
--
Kevin McArthur
need to verify the backend certificate against the SNI value requested
by the client.
Something like server options:
server app1 app1.example.ca:443 ssl no-sslv3 sni ssl_fc_sni verify
required verifyhost ssl_fc_sni
However, the "verifyhost ssl_fc_sni" part doesn't work at current. Is
there any chance I could get this support patched in?
Most folks seem to be either ignoring the backend server validation,
setting verify none, or are stripping tls altogether leaving a pretty
big security hole.
--
Kevin McArthur