stack/erp5: serve balancer requests when client certificate is not verified
We configure haproxy with "verify optional", which makes haproxy request a client certificate, but accept the case where client does not present a certificate, but as described in [1], if client present a certificate and this certificate can not be verified, handshake is aborted. This is not what we want, we want to treat the case of a non verified certificate same as the case of the absence of certificate. This configures haproxy accordingly, using "crt-ignore-err all" to allow handshake anyway. Once this was fixed, there was a remaining problem with client_cert_verified acl, haproxy acl are OR, but this rule was supposed to be a AND (client present a certificate AND it is verified), this was rewritten to use inline condition which are AND. [1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert that there is no X-Forwarded-For header at all when no client certificate.
Status | Job ID | Name | Coverage | ||||||
---|---|---|---|---|---|---|---|---|---|
External | |||||||||
failed |
#612245
external
|
Cloudooo.UnitTest-Master |
00:09:39
|
||||||
passed |
#612217
external
|
SlapOS.Eggs.UnitTest-Master.Python2 |
00:30:16
|
||||||
passed |
#612229
external
|
SlapOS.Eggs.UnitTest-Master.Python3 |
00:35:07
|
||||||
failed |
#612242
external
|
SlapOS.Eggs.UnitTest-TestRunner1.Python3 |
00:24:02
|
||||||