HAProxy ssl verify and Android/Chrome issue



  • Dear All,

    I've a strange issue with HAProxy serving HTTPS pages and phones with Android/Chrome. THe issue is the same as described in the following forum: https://stackoverflow.com/questions/19311094/certificate-issue-ssl-page-brings-up-you-need-to-set-a-lock-screen-pin-or-pass.

    Regarding to the documentation of HAProxy I need to set up the "verify" option to none:

    "verify [none|optional|required]
    This setting is only available when support for OpenSSL was built in. If set
    to 'none', client certificate is not requested. This is the default. In other
    cases, a client certificate is requested. If the client does not provide a
    certificate after the request and if 'verify' is set to 'required', then the
    handshake is aborted, while it would have succeeded if set to 'optional'. The
    certificate provided by the client is always verified using CAs from
    'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
    is aborted, regardless of the 'verify' option, unless the error code exactly
    matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'."

    In the HAProxy package if I set the option "Allows clients without a certificate to connect." then in the config will appears the "SSL verify optional", but I need "SSL verify none". How can I do this?

    Kind Regards,
    bzg



  • https://redmine.pfsense.org/issues/8228#note-5

    "Leave all these options empty"