Hi Jason,
> I believe I've figured out the error of my ways. > I recently changed where I'm generating SSL keys, in order to push keys to a > R/O mount for the FE server, letting a back-end server handle the security > aspects. > > The openssl on the backend/generator system is 1.0.1-4ubuntu5.14, the > openssl on the frontend/haproxy system is 1.0.1e-2+deb7u10 > > While they are both 1.0.1 branch versions (which would make me assume > they're compatible), apparently they are not. Its not that. You can generate and sign certificates even with non-openssl tools, and still use them. > I regenerated the keys on the frontend system, and all of the SNI > functionality is once again working. I suspect CN/UCC/SAN values are corrupted or wrong when coming from one the "backend/generator" system then. Triple check how you generate them and validate them again [1]. HAproxy/Openssl does no magic here, either the certificate contains the proper values and SNI will work, or not. Regards, Lukas [1] http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/
