On Thu, Mar 26, 2015 at 7:44 AM, Jarno Huuskonen <jarno.huusko...@uef.fi> wrote: > Hi, > > On Wed, Mar 25, Shawn Heisey wrote: >> On 3/25/2015 10:16 AM, Brandon wrote: >> > Hi, I am trying to deploy HAProxy in HTTP mode in front of a Windows >> > Server 2012 R2 ADFS 3.0 farm. In ADFS 3.0 backend servers require that >> > clients support SNI. >> > >> > In my testing it does not appear that HAProxy is sending the ServerName >> > extension in the TLS handshake and as a result I am receiving a "Bad >> > Gateway" error. The HAProxy logs just say "Connection error during SSL >> > handshake". I captured the traffic with wireshark and the ServerName TLS >> > extension is indeed missing and the ADFS server is sending a RESET >> > packet right after the SSL HELLO packet. > > Do any of the force-tls10, force-tls11 or force-tls12 (or no-sslv3) > make any difference ? > >> Haproxy 1.5 does support SNI, but in order for it to work, the version >> of openssl used must also support it. If you're running an old OS, it >> might not have that support. RHEL6 and its derivatives (like CentOS6) >> include openssl 0.9.8e, and I don't think that version has SNI ... the > > CentOS6 (6.6) comes with openssl 1.0.1e, but it also has compatibility > package: > openssl098e. (haproxy -vv should show what version you're using). > > It should be possible to configure ADFS not to require SNI(=add default > binding), we're testing netscaler as adfs proxy (netscaler doesn't suppot > SNI on backend). And the default binding seems to work. > (For example: http://jesperstahle.azurewebsites.net/?p=1382) > > -Jarno > > -- > Jarno Huuskonen >
Hi, HAProxy does not support SNI on backend yet. The biggest problem is not to send the SNI, the problem is what to send :) Do you send the Host header sent by the client, do you want to forge one, what happens if you do rewritting of the Host header, etc... So we could discuss the options here, then we'll be able to code something I guess... Baptiste
