@rohans wrote:
Hi Experts,
We are having one issue where we have few Clients having expired certs and not a feasible option to update the certs right away. Currently working on Config which will allow the clients even if the client has expired certs but at the same time, we need to validate the certs against our CA so that the one who has self-signed certs and not signed by our internal CA should not be able to connect. As per the below config, I am able to connect using the self-signed certs as well.
Can anyone please suggest. My current config is as follows:
listen wss-https
bind *:833 process 1
bind *:833 process 2
bind *:833 process 3
mode tcp
option tcplog
tcp-request inspect-delay 2s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend be_ssl_verify_cert_expired if { ssl_c_verify 10 }
use_backend be_ssl_verify_cert if { req.ssl_sni -m found }
default_backend be_ssl_noverifybackend be_ssl_verify_cert_expired
mode tcp
server fe_ssl_verify_cert 127.0.0.1:806 send-proxy-v2backend be_ssl_verify_cert
mode tcp
server fe_ssl_verify_cert 127.0.0.1:804 send-proxy-v2backend be_ssl_noverify
mode tcp
server fe_ssl_noverify_cert 127.0.0.1:805 send-proxy-v2listen wss-https1
bind 127.0.0.1:804 ssl crt /etc/cert/cert.pem verify required /etc/cert/ca-file /etc/cert/ca.crt accept-proxy
bind 127.0.0.1:805 ssl crt /etc/cert/cert.pem verify optional crt-ignore-err 10 ca-file /etc/cert/ca.crt accept-proxy
bind 127.0.0.1:806 ssl crt /etc/cert/cert.pem verify optional crt-ignore-err 10 ca-file /etc/cert/ca.crt accept-proxy
mode tcp
maxconn 50000
option tcplog
option clitcpka# HSTS (15768000 seconds = 6 months) rspadd Strict-Transport-Security:\ max-age=15768000 log-format %ci:%cp\ %fi:%fp\ %bi:%bp\ %H\ %{+Q}[ssl_c_ca_err]\ %{+Q}[ssl_c_ca_err_depth]\ %{+Q}[ssl_c_err]\ %{+Q}[ssl_c_s_dn(O,1)]\ %{+Q}[ssl_c_s_dn(CN)]\ %{Q}[ssl_c_notbefore]\ %{Q}[ssl_c_notafter]\ %{+Q}[ssl_fc_has_sni]\ %{+Q}[ssl_fc_sni]\ %{+Q}[ssl_c_key_alg]\ %{+Q}[ssl_f_sig_alg]\ %sslv\ %sslc\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs default_backend backend_http
Posts: 1
Participants: 1