Hello
I have a setup with HAProxy Client side certificate verification required.
I want to log Client Side Certificate SSL errors including the source-ip & client side certificate CN and CA CN when SSL Handshake fails.
Please suggest a config logging command to log source-ip & client side certificate CN and CA CN for SSL handshake error case
But below config does not list client certificate details for SSL handshake error
HAProxy logs for SSL Error:
10.128.41.12:33085 [10/May/2016:23:03:45.324] http-in/1: SSL handshake failure
HAProxy logs for SSL success:
10.128.41.12:33099 [10/May/2016:23:56:38.797] http-in~ app/app1 93/0/1/2/96 200 289 - - ---- 1/1/0/1/0 0/0 {0,"/C=IN/ST=Karnataka/L=Bengaluru/CN=client1","/C=IN/ST=Karnataka/L=Bengaluru/CN=ca"} “GET /whoami.html HTTP/1.1”
HAProxy Config:
frontend http-in
mode http
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
bind *:443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify required
use_backend app
default_backend app
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
option forwardfor
Thanks,
Deepak