Cipher strings when cert has empty CN (1 reply)

Hello there,

While testing SSL termination with Haproxy, I came across a strange behavior, and wonder if this is a bug or something expected.

I have a self-signed X509 certificate without CN. So the cert looks like this:

Certificate:

Data:

Version: 1 (0x0)

Serial Number: 11926082458965984689 (0xa581f4cf30af45b1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=XX, L=Default City, O=Default Company Ltd

Validity

Not Before: Jul 15 22:56:12 2015 GMT

Not After : Jul 14 22:56:12 2016 GMT

Subject: C=XX, L=Default City, O=Default Company Ltd

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:


Then I added cipher string in the binding.

bind 0.0.0.0:8443 ssl crt /var/lib/load-balancer-servo/certwithoutcn/cert..pem no-sslv3 no-tlsv10 no-tlsv11 ciphers DHE-RSA-AES256-SHA256

Then haproxy does not honor the protocols and specified cipher string and the list of accepted cipher is the same as the case without protocol&cipher option (so it’s openssl default). When the cert with CN (any CN, valid or invalid) is used, then the cipher string is correctly honored.

Is this a bug?
-------------------
Sang-Min Park – Software Engineer
HP Helion Cloud