HAProxy community

Ssl_client_certificate and ssl_verify_client to haproxy


#1

Hello guys,

I’m having a hard time trying to convert this snipet from nginx to haproxy:

    ### SSL cert files ###
    ssl                  on;
    ssl_certificate      /keys/xxx.com.pem;
    ssl_certificate_key  /keys/xxx.com.key;
    ssl_client_certificate /keys/client_certs.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

The goal is to require client to be authenticated through certificate listed in “client_certs.crt”.

Coud you please help with the equivalent in haproxy?

Thanks!!!


#2

Hi,
In order to verify client certificates in HAProxy, you need to set the “verify” option to “required”. The certificates provided by the client are to be verified using a CA listed in “ca-file”, which is a PEM file containing CA certificates.

For you to implement the nginx snippet in HAProxy, you would need to make below changes in the frontend section of haproxy.cfg:

	frontend example_FE
		mode http
		bind *:443 ssl crt /keys/xxx.com.pem ca-file /keys/client_certs.crt verify required
		default-backend example_BE

Also, as far as i am aware, haproxy does not support limiting client ssl certificate verification depth. Therefore, ssl_verify_depth is not configured in the above haproxy configuration.

Hope this is helpful !

Thanks,
Shivharsh


#3

Regarding the ssl verification depth, haproxy veryfies the entire chain. You can access variables like ssl_c_ca_err_depth or ssl_c_ca_err to understand what error happen on what depth.

You can also choose to ignore certain errors with ca-ignore-err.

None of this should be necessary though, as by default haproxy verifies the full chain, which you probably expect.


#4

Thanks guys! I’m using:

    bind :11001 transparent ssl crt bla.crt ca-file bla.crt verify required crl-file client_certs.crt crt-ignore-err all

And is working!