Is there a way to prevent SSL requests falling back to an unrelated cert?

[far-blue]

I'm playing with vault certs and I've noticed that if I've only supplied SSL certs for some of the hosts fabio is proxying then those without certs can still be served via the HTTPS proxy but will serve with one of the other host's SSL certs. I'm not sure of which one is picked but I guess it might be the first or last one fabio loads from vault.

I'd prefer not to serve invalid certs for services, even accidentally, so is there an option to reject the connection if there is no matching cert?

[magiconair]

The current behavior is to serve the first certificate if none matched since this matches the TLS behavior of the Go stdlib. I can add that. Shouldn't be difficult.

[magiconair]

@far-blue I am wondering whether the fallback option is a property of the cert source (proxy.cs) or the listener (proxy.addr)? And also, whether it should be fallback with default true or nofallback with default false. Do you have an opinion?

[far-blue]

I would say it's prob. a property of the listener as the cert source is all about fetching certs while the listener is all about serving them. I'd prob. opt for fallback defaulting to true. I'm not keen on double-negatives (we have a few in our legacy codebase and they just cause you to stop and have to think more!) :)

[magiconair]

@far-blue I tend to agree on both. The only issue with fallback is that now you have to set it everywhere in the code to get the default behavior which goes against the idea that empty structs should be useful and should encode the default behavior.

I can't think of a better name which expresses this in a different way. exactmatch does not capture it and would also need a reference to the certificate matching if configured in the context of the listener. What would this mean?

proxy.addr=:443;cs=demo;exactmatch=false

[far-blue]

well, if you are talking about the code vs the config, you could present the config as fallback with a default of true but internally represent it as something else such as strictMatch with a default of false. Or you could have something like preventfallback with a default of false if you don't like inverting a config value in code.

[magiconair]

I like strictmatch. No negative logic but still a default value of false.

[magiconair]

Still need to add a test for getCertificate() which does the actual work but that patch should do the trick.

[magiconair]

@far-blue thx for your help

[magiconair]

I'll sleep over the strictmatch name and if nothing comes up I'll merge that tomorrow or the day after.

[magiconair]

Merged to master.