Hi, On Wed, Mar 25, Shawn Heisey wrote: > On 3/25/2015 10:16 AM, Brandon wrote: > > Hi, I am trying to deploy HAProxy in HTTP mode in front of a Windows > > Server 2012 R2 ADFS 3.0 farm. In ADFS 3.0 backend servers require that > > clients support SNI. > > > > In my testing it does not appear that HAProxy is sending the ServerName > > extension in the TLS handshake and as a result I am receiving a "Bad > > Gateway" error. The HAProxy logs just say "Connection error during SSL > > handshake". I captured the traffic with wireshark and the ServerName TLS > > extension is indeed missing and the ADFS server is sending a RESET > > packet right after the SSL HELLO packet.
Do any of the force-tls10, force-tls11 or force-tls12 (or no-sslv3) make any difference ? > Haproxy 1.5 does support SNI, but in order for it to work, the version > of openssl used must also support it. If you're running an old OS, it > might not have that support. RHEL6 and its derivatives (like CentOS6) > include openssl 0.9.8e, and I don't think that version has SNI ... the CentOS6 (6.6) comes with openssl 1.0.1e, but it also has compatibility package: openssl098e. (haproxy -vv should show what version you're using). It should be possible to configure ADFS not to require SNI(=add default binding), we're testing netscaler as adfs proxy (netscaler doesn't suppot SNI on backend). And the default binding seems to work. (For example: http://jesperstahle.azurewebsites.net/?p=1382) -Jarno -- Jarno Huuskonen
