Welcome! Log In Create A New Profile

Advanced

Client cert verification on some paths

Posted by Joao Morais 
Joao Morais
Client cert verification on some paths
December 02, 2017 01:00AM
Hi, I have some apps that need to mimic an Apache httpd behavior on client certificate verification: require certificate only on some paths.

Apache does this implementing SSL renegotiation as briefly explained here[1].

Of couse I can `mode tcp` proxy to an Apache instance to do that for me but my topology would be simplified if I could implement SSL renegotiation on HAProxy as soon as I can fetch the path sample.

Is there a way to accomplish this without using Apache httpd?

~jm

[1] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient
Aleksandar Lazic
Re: Client cert verification on some paths
December 02, 2017 12:00PM
Hi.

------ Originalnachricht ------
Von: "Joao Morais" <[email protected]>
An: "HAproxy Mailing Lists" <[email protected]>
Gesendet: 02.12.2017 00:53:33
Betreff: Client cert verification on some paths

>
>Hi, I have some apps that need to mimic an Apache httpd behavior on
>client certificate verification: require certificate only on some
>paths.
>
>Apache does this implementing SSL renegotiation as briefly explained
>here[1].
>
>Of couse I can `mode tcp` proxy to an Apache instance to do that for me
>but my topology would be simplified if I could implement SSL
>renegotiation on HAProxy as soon as I can fetch the path sample.
>
>Is there a way to accomplish this without using Apache httpd?
You can use the following line to full fill your request, untested.

bind :443 ssl ca-file "${PATH_TO_CAFILE}" crl-file
"${PATH_TO_CRLFILE}" verify "${VERIFY_MODE}"

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-ca-file
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crl-file
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-verify

You can add the following header to see if the client was successful
verified.

http-request set-header X-SSL-Client-Verify %[ssl_c_verify]

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-http-request

When you start the haproxy with the environment variables PATH_TO_CAFILE
and PATH_TO_CRLFILE set to your paths and VERIFY_MODE=optional can you
test if the verification works.

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#2.3

I strongly suggest to go through the manual several times due to the
fact that it's worth and you learn a lot about haproxy ;-)

>~jm
>
>[1] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient
>
Hth
Aleks
Joao Morais
Re: Client cert verification on some paths
December 02, 2017 12:40PM
> Em 2 de dez de 2017, à(s) 08:47, Aleksandar Lazic <[email protected]> escreveu:
>
> Von: "Joao Morais" <[email protected]> gesendet: 02.12.2017 00:53:33
>
>> Hi, I have some apps that need to mimic an Apache httpd behavior on client certificate verification: require certificate only on some paths.
>>
>> Apache does this implementing SSL renegotiation as briefly explained here[1].
>>
>> Of couse I can `mode tcp` proxy to an Apache instance to do that for me but my topology would be simplified if I could implement SSL renegotiation on HAProxy as soon as I can fetch the path sample.
>>
>> Is there a way to accomplish this without using Apache httpd?
> You can use the following line to full fill your request, untested.
>
> bind :443 ssl ca-file "${PATH_TO_CAFILE}" crl-file "${PATH_TO_CRLFILE}" verify "${VERIFY_MODE}"
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-ca-file
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crl-file
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-verify
>
> You can add the following header to see if the client was successful verified.
>
> http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-http-request
>
> When you start the haproxy with the environment variables PATH_TO_CAFILE and PATH_TO_CRLFILE set to your paths and VERIFY_MODE=optional can you test if the verification works.
>
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#2.3

Thanks for the detailed explanation.

This is actually very close to my current setup and I'm looking for a way to avoid ask the certificate from the user on a browser if he doesn't request the /path that require the certificate. HAProxy has a lot of L5/6 fetch samples, and with some unknown (by me) keyword, perhaps I could implement a SSL renegotiation (or something like that) just like Apache httpd already implement.

Just to name an example: HAProxy doesn't have native support for configuration of a http response which explains to the user he need to provide a certificate (on one page) - and signed by a known CA (on another page), but I got it working using verify optional and fetching the right L5 samples. The actual configuration however is far beyond my knowledge in such a way that I simply cannot say this is even possible.

> I strongly suggest to go through the manual several times due to the fact that it's worth and you learn a lot about haproxy ;-)

Sure, the link to the doc is already on my favourites =)

~jm
Vincent Bernat
Re: Client cert verification on some paths
December 02, 2017 12:40PM
❦ 2 décembre 2017 10:47 GMT, "Aleksandar Lazic" <[email protected]> :

> You can use the following line to full fill your request, untested.
>
> bind :443 ssl ca-file "${PATH_TO_CAFILE}" crl-file
> "${PATH_TO_CRLFILE}" verify "${VERIFY_MODE}"

If verify mode is set to optional, on browsers, this will still trigger
the dialog box to get a certificate from the user. AFAIK, there is no
way to achieve what Apache is doing using HAProxy: there is no code to
change SSL parameters after initial bind.
--
If you tell the truth you don't have to remember anything.
-- Mark Twain
Lukas Tribus
Re: Client cert verification on some paths
December 04, 2017 09:30AM
Hello,


2017-12-02 12:32 GMT+01:00 Vincent Bernat <[email protected]>:
> If verify mode is set to optional, on browsers, this will still trigger
> the dialog box to get a certificate from the user. AFAIK, there is no
> way to achieve what Apache is doing using HAProxy: there is no code to
> change SSL parameters after initial bind.

More specifically this requires SSL renegotiation, which has been
removed in TLSv1.3 to further simplify things, so even Apache won't be
able to do this once you upgrade to TLSv1.3.

So really this should not be used
Lukas Tribus
Re: Client cert verification on some paths
December 04, 2017 09:30AM
continuing ...

2017-12-04 9:21 GMT+01:00 Lukas Tribus <[email protected]>:
> More specifically this requires SSL renegotiation, which has been
> removed in TLSv1.3 to further simplify things, so even Apache won't be
> able to do this once you upgrade to TLSv1.3.
>
> So really this should not be used ...

.... otherwise you'd box yourself in a corner with Apache and TLSv1.2.
Use a dedicated subdomain/certificate/bind configuration to avoid
needless browser dialogs with "verify optional". That's the only
portable and future proof way.


Lukas
Sorry, only registered users may post in this forum.

Click here to login