Client certificate auth blocks access for some certs

Help!
1

I’m trying to setup client based authentication and got a weird problem. When using smartcard certs I get error
SSL client certificate not trusted
even though I’ve set “verify optional” and “crt-ignore-err all ca-ignore-err all” in my frontend. The smartcard certificate validates fine using openssl on the client using the CA specified as CA in haproxy.conf. The must strange thing is that if I use a selfsigned certificate then it works.
Any suggestion on what might be causing this?

Simplified config I am using:
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
crt-base /etc/haproxy/ssl
ssl-server-verify none
frontend main
bind :443 ssl crt website-cert.pem ca-file client-CA-with-chain.pem verify optional crt-ignore-err all ca-ignore-err all

default_backend test
   cookie SRVID insert nocache
   server server1 127.0.0.1:8088 maxconn 1

curl using selfsigned cert against haproxy with netcat running on backend:
curl --insecure --cert-type pem --cert test-cert.pem https://netcat-server
netcat server output:
ncat -l 127.0.0.1 8088
GET / HTTP/1.1
host: netcat-server
user-agent: curl/7.66.0
accept: /
x-ssl: 1
x-ssl-client-sha1: &y�5e��T�%0F%7F�}A�%14%1A�)�
x-ssl-client-verify: 21
x-ssl-client-dn: dn string
x-ssl-issuer: issuer string
connection: close

curl using smartcard cert against haproxy with netcat running on backend:
curl -v --insecure -E ‘pkcs11:URL’ https://netcat-server
Enter PKCS#11 token PIN for Instant EID IP9 (identification):
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:

* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: helpdesk.cardservices.no
> User-Agent: curl/7.66.0
> Accept: /
>
* TLSv1.3 (IN), TLS alert, bad certificate (554):
* OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
* Closing connection 0
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0

netcat gives no output and haproxy log gives error " SSL client certificate not trusted" so the connection is closed at the frontend for some reason.

2

anyone any suggestion on how to debug further? Also why does haproxy block access with ‘certificate not trusted’ even though I’ve set ‘verify optional’ - thats the thing that bothers me most…

3

I’m affected by this too. verify optional + crt-ignore-err all ca-ignore-err all are bugged, HAProxy does not respect it in some situations. It’s a regression since HAProxy 1.5.10 works fine, while the exact same config and requests to 2.1.8-1ppa1~focal fail.

4

My team will try recreating the problem in Docker, and we’ll check against each available HAProxy to understand what version the regression was introduced.