Hi,
I have problem with using CRL in HaProxy. In short, if I have two certificates and will add CRL with one of them then the other one also breaks.
Long story: I am using HaProxy Ingress and started discussion with Joao Morais there however I am able to reproduce this issue with pure HaProxy (kudos for Joao to help with this).
My HaProxy config:
defaults
timeout server 1m
timeout client 1m
timeout connect 5s
listen l
bind :443 ssl crt-list /tmp/crt.list ca-ignore-err all crt-ignore-err all
mode http
http-request deny if { ssl_c_verify gt 0 }
http-request return content-type "text/plain" string "ok\n"
and crt.list content :
tmp/crt.pem [ca-file /tmp/ca.pem verify optional crl-file /tmp/crl.pem] !*
I have following certificate chaing : RootCA → Intermediate → (leaf certificate A, leaf certificate B).
In ca.pem I have my Intermediate certificate which is used for mTLS. In crl.pem I have leaf certificate B.
My assumption was that I should still be able to authorize using certificate A since only B is revoked.
Unfortunately it doesn’t work like that, I have executed following tests:
In first scenario I am adding crl-file /tmp/crl.pem into crl.list file, here are the results:
- Test with valid certificate A - getting 403
- Test with revoked certificate B - getting 403
- Test with invalid certificate C - getting 403
Then I have executed the same test but without CRL. I simply removed crl-file /tmp/crl.pem from the config. The results were as follows:
- Test with valid certificate A - getting OK response
- Test with revoked certificate B - getting OK response (its because I haven’t declared crl-file of course)
- Test with invalid certificate C - getting 403
As I could clearly see adding CRL breaks valid certificate for some reason.
Test was executed using docker haproxy:2.2.10-alpine.
Please advice if I am doing something wrong or maybe its just a bug ?