HAProxy community

Is "verify none" working for an expired certificate?

#1

Hi,
I have a short question (I tried it and my assumptions seem to be correct, but just want to double check), can a let a certificate expire on the backend and have “verify none” and a valid certificate on the fronend and I will not have any issue?
So far I am moving machines that have a valid certificate behind HAProxy, so on the date that a certificate expires, I want to make sure that if a valid certificate is exposed on the frontend, the backends with an expired certificate will be fine.

Thanks.

#2

If by “not have any issue” you mean that the certificate expiration on the backend server will continue to be ignored, then yes, you will not have any issue.

Here is why: when your terminate SSL (use the ssl keyword on bind or server configuration lines), you are really ending everything related to SSL and forward only the unencrypted payload (or, when we are talking about a server: reencrypting everything from scratch).

So “problems” related to SSL certificates on the backend or even SSL settings never affect SSL configurations on the frontend, because they are completely decoupled. Only if you don’t terminate SSL (forward encrypted traffic transparently), you will see end-to-end issues, if any.

#3

Thanks for your clarification.

Best.