[Solved] Unexpected behaviour in SSL termination


#1

Hello,

I’m using SSL termination in Haproxy. HAproxy is handling connections from multiple hosts on port 443. We have different c ertificates for different hosts. So I choose to use crt-list in ssl directive to provide mapping file of host and it’s certificates.

Here is haproxy.cfg and crt-list.txt

frontend https-in
bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt

and crt-list.txt

host1 /path/to/foo.pem
host2 /path/to/bar.pem

When I come from host1 or host2 then it takes correct configuration. but when i come from other domain for example host3, It takes certificates of host1. I don’t know It should be happen or not.

I think i can redirect to http if it host is not exist in crt-list.txt file but I don’t know how to accomplish that. or if anyone has suggestion on what is the correct way to handle the request then it would be welcomed.

Thanks & Regards,
Chintan Patel


#2

Expected behavior as documented:
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt-list

Use strict-sni to reject those TLS sessions:
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-strict-sni


#3

Thanks @lukastribus for your help. It worked. :slight_smile: