stack/erp5: serve balancer requests when client certificate is not verified
We configure haproxy with "verify optional", which makes haproxy request a client certificate, but accept the case where client does not present a certificate, but as described in [1], if client present a certificate and this certificate can not be verified, handshake is aborted. This is not what we want, we want to treat the case of a non verified certificate same as the case of the absence of certificate. This configures haproxy accordingly, using "crt-ignore-err all" to allow handshake anyway. Once this was fixed, there was a remaining problem with client_cert_verified acl, haproxy acl are OR, but this rule was supposed to be a AND (client present a certificate AND it is verified), this was rewritten to use inline condition which are AND. [1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert that there is no X-Forwarded-For header at all when no client certificate.
| Status | Job ID | Name | Coverage | ||||||
|---|---|---|---|---|---|---|---|---|---|
| External | |||||||||
| passed |
#611373
external
|
SlapOS.Eggs.UnitTest-TestRunner1.Python2 |
00:16:39
|
||||||
| failed |
#611371
external
|
SlapOS.SoftwareReleases.IntegrationTest-TestRunner1 |
06:50:49
|
||||||
| passed |
#610942
external
retried
|
SlapOS.Eggs.UnitTest-TestRunner1.Python2 |
00:16:23
|
||||||
| failed |
#610941
external
retried
|
SlapOS.SoftwareReleases.IntegrationTest-TestRunner1 |
06:45:24
|
||||||