Open ndbemmanuel opened 3 years ago
Iirc the details of this functionality, the SNI extension has three roles:
The first two options is a matter of configuring mTLS in the default backend, but HAProxy Ingress currently doesn't do this and I'll take care. The third and last option compares SNI and Host header if a certificate was provided, this behavior can be changed on behalf of a less secure deployment, which isn't a problem at all if all of your clients use the same CA bundle.
Is this approach useful in your use case?
Yes, that would be useful.
We only have one host name that requires to support non-sni configuration It is also currently the only host name that currently require mTLS. It would cover actual use cases and allow to set the configuration without knowing the internal working of the haproxy.cfg configuration.
So, It will cover these required use cases:
Client not supporting SNI connecting to the host requiring mTLS
Client not supporting SNI without TLS
Client with SNI (with or without mTLS)
Non required use case but may be useful for someone else and is not covered by the solution:
hi jcmoraisjr
I am working on vertifying my cluster with a large provider and it seems they don't support SNI - it was difficult to debug that until I finally did curl https://<ip address>
and got the same error in my logs vs the query from the vendor:
2024-09-23T17:42:51.159898544Z 2024-09-23T17:42:51+00:00 127.0.0.1 1 2024-09-23T17:42:51.159750+00:00 - ingress 4697 - - 10.42.6.110:44780 [23/Sep/2024:17:42:51.124] _front_https/1: SSL handshake failure
mTLS with the fqdn works fine in my tests, but it seems the remote server at the vendor doesn't support this; they are resolving and then using the IP.
I'm happy to create a dedicated ingress controller or even cluster, if this is possible?
Thanks
Is it possible to add support to have mutual TLS authentication without having SNI support. We have deployed devices that need to have mutual TLS authentication and doesn’t support SNI. We did get a somewhat working solution by having the following config :
In sort, it’s a copy the SNI config but applied to the host header field
But that solution has some problems:
Our suggestion: