HAProxy community

Mutual TLS with client hostname/san validation


I have seen and tested HAProxy can successfully do client authentication based on client SSL certificates.

But what I miss in this client certificate authentication is the CN or SAN validation.
So in other words, how to ensure HAProxy validates the host(client) name with the name specified in the client certificate (SAN or CN).

For what I have tested this validation does not take place, which results in a client certificate which still can be shared and used by multiple clients, are there any options within HAProxy to ensure such validation can take place?

Am I overlooking something here?



I don’t understand, CN/SAN validation against what exactly? The reverse DNS record? That is attacker controlled, it doesn’t make any sense to restrict that.

This is the first time I hear about hostname validation for client TLS certificates, and I don’t understand how that would make any sense.

Yes, that’s how TLS works, your private key must not be compromised. When you loose a device with a private-key, you need to revoke it immediately and make sure that revocations are handled by the entire chain (including haproxy).

TLS client certificate authentication is not a replacement for user authentication. It just authenticates a particular certificate (possibly bound to a certain device, if not compromised).

Hostname validation is a part of openssl for some time, so its not something which does not make any sense:
I was just curious if it could be used with client certificates.

I however do agree that it is attacker controlled, since it is usually more easy to change a hostname by an attacker of an client than of a server, so purely rely on client certificates is not an option. :smiley:

Thanks Lukas.