Client Side Certificate SSL - Error Loging for HAProxy


#1

Hello

I have a setup with HAProxy Client side certificate verification required.

I want to log Client Side Certificate SSL errors including the source-ip & client side certificate CN and CA CN when SSL Handshake fails.

Please suggest a config logging command to log source-ip & client side certificate CN and CA CN for SSL handshake error case

But below config does not list client certificate details for SSL handshake error

HAProxy logs for SSL Error:
10.128.41.12:33085 [10/May/2016:23:03:45.324] http-in/1: SSL handshake failure

HAProxy logs for SSL success:
10.128.41.12:33099 [10/May/2016:23:56:38.797] http-in~ app/app1 93/0/1/2/96 200 289 - - ---- 1/1/0/1/0 0/0 {0,"/C=IN/ST=Karnataka/L=Bengaluru/CN=client1","/C=IN/ST=Karnataka/L=Bengaluru/CN=ca"} “GET /whoami.html HTTP/1.1”

HAProxy Config:
frontend http-in
mode http
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r

bind *:443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify required

use_backend app
default_backend app
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
option forwardfor

Thanks,
Deepak


#2

Deepak, if there is a Handshake error, then a certificate is not actually presented in most cases so there won’t be any additional info to log.

What you should do though is setup your certificate revocation list. That one should be able to log a cert when it fails.