SnijderC
commented
6 years ago Hi Troy,
Sorry you almost had a heat-attack, happy to hear you are still with us. Also sorry for the late response to your issue.
The fallback certificate is not supposed to be served, when configured correctly. HAProxy will not start if there is no certificate in the certificate directory, also, if you have many certificates and you connect to the proxy with a host name that doesn't have a certificate (but port 443 happens to be open) the first certificate in the certificate directory is served, meaning you could see a completely unrelated certificate with the wrong CN in your browser, which is arguably more dodgy than an invalid certificate, and IMO more correct, as it is not the wrong domain, it just doesn't have a certificate.
To be fair, it doesn't say: "U GOT PWNED N00B" literally. But you are right that it could be improved. However we have also found that recent versions of HAProxy can be configured without a fallback certificate so I think we will focus on that in a future version. And for now I did do a minor tweak because the country code was not very nice.
Hope it helps
troyfontaine
After I gave myself a heart attack-I discovered that the __fallback.pem contains extremely dodgy information. Perhaps noting in the documentation that the Fallback certificate defaults to a very "U GOT PWNED N00B" set of certificate info would be appropriate?
Alternatively, providing documentation or a way to customize it would be in order? That way if a admin missed a SAN on a certificate they don't end up getting themselves hauled into their manager's office and an explanation demanded as to how their HAProxy server got hacked?