Hello,
On 12/12/2022 16:45, Froehlich, Dominik wrote:
Hello HAproxy community!
We’ve recently updated from OpenSSL 1.1.1 to OpenSSL 3.0 for our
HAproxy deployment.
We are now seeing some client certificates getting denied with these
error messages:
“*SSL client CA chain cannot be verified”/“error:0A000086:SSL
routines::certificate verify failed*” 30/000000000A000086
We found out that for this CA certificate, the error was
X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER
This error is only thrown if we run openssl verify with the
“-x509_strict” option. The same call (even with the “-x509_strict”
option) on OpenSSL 1.1.1 returned OK and verified.
Indeed, OpenSSL extended what the x509_strict option actually does in
order to follow the requirements described in RFC 5280. OpenSSL's commit
0e071fbce4 gives a detailed list of the extra checks performed when
x509_strict is set.
As this was a bit surprising to us and we now have a customer who
can’t use their client certificate anymore, we wanted to ask for some
details on the OpenSSL verify check in HAproxy:
* How does HAproxy call the “verify” command in OpenSSL?
Actual certificate and certificate chain verification is performed
inside OpenSSL so any default behavior change in OpenSSL itself might
have an impact on which certificate we reject or not.
* Does HAproxy use the “x509_strict” option programmatically?
* Is there a flag in HAproxy that would allow us to temporarily
disable the “strict” setting so that the customer has time to
update their PKI?
I did not try to reproduce the problem you encountered yet but you might
have success with a proper crt-ignore-err and ca-ignore-err combination
(on HAProxy's side). It does not disable strict checking per se but it
could allow you to accept certificates that were otherwise rejected.
* If there is no flag, we could temporarily patch out the code that
uses the flag, can you give us some pointers?
Thanks a lot for your help!
Dominik Froehlich, SAP
Hope this helps.
Rémi LB
