1.8.x - 2.2.x upgrade kills client certificate authentication from a hardware token (gemalto)

I experience a weird problem. I have been using haproxy 1.8.x and then upgraded to 2.2.5 on Debian Buster. I had a working client cert authentication that is used both with browser and hardware token stored certificates. After upgrading to 2.2.5, client cert authentication stopped working using the hardware token (!) but still working when the same certificate is stored in Windows / browser cert store. The hardware token is Gemalto.

haproxy only logs “SSL handshake failure”, nothing more, so it is not easy to debug. I kindly ask you if you have any hint or experience, please share with me. I am a bit surprised that there are any difference in the presentation of a certificate to a server based on where it is stored…

Relevant config part of my haproxy:

frontend admin_https_in
  mode http

  bind <myip>:80
  bind <myip>:443 ssl crt mycert_bundle.crt ecdhe secp384r1 ca-file mycafile.crt verify required crt-ignore-err 10,12,23 crl-file mycrllist.pem

  # Custom log format
  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r

  # Redirect to HTTPS
  redirect scheme https code 301 if !{ ssl_fc }
  # HSTS
  http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"
  http-request set-header X-Forwarded-Proto https

  # Certificate error redirects to custom error pages
  use_backend cert-error-exp if { ssl_c_verify 10 }
  # use_backend cert-error-crl-exp if { ssl_c_verify 12 }
  use_backend cert-error-rev if { ssl_c_verify 23 }
  # use_backend cert-error-other unless { ssl_c_verify 0 }

  # Client certificate headers
  http-request set-header X-SSL                       %[ssl_fc]
  http-request set-header X-SSL-CLIENT-VERIFY         %[ssl_c_verify]
  http-request set-header X-SSL-CLIENT-HASH           %{+Q}[ssl_c_sha1,hex]
  http-request set-header X-SSL-CLIENT-SUBJECT        %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-CLIENT-ISSUER         %{+Q}[ssl_c_i_dn]
  http-request set-header X-SSL-CLIENT-VALID          %{+Q}[ssl_c_notafter]
  http-request set-header X-SSL-CLIENT-SN             %{+Q}[ssl_c_serial,hex]
  http-request set-header X-SSL-CLIENT-CERT-B64       %{+Q}[ssl_c_der,base64]
  http-request set-header X-SSL-CLIENT-IP             %[src]
  http-request set-header X-SSL-SESSION-ID            %[ssl_fc_session_id,hex]
  http-request set-header X-SSL-CLIENT-SAN            %{+Q}[ssl_c_s_dn(emailAddress)]

...

# Client certificate custom error pages
backend cert-error-exp
  mode http
  errorfile 503 /etc/haproxy/errors/cert_error_expired.http

backend cert-error-crl-exp
  mode http
  errorfile 503 /etc/haproxy/errors/cert_error_crl_expired.http

backend cert-error-rev
  mode http
  errorfile 503 /etc/haproxy/errors/cert_error_revoked.http

backend cert-error-other
  mode http
  errorfile 503 /etc/haproxy/errors/cert_error_other.http

1 post - 1 participant

Read full topic