ssl backend not verifying SNI hostname with strict-sni enabled

Mon, 25 Jan 2016 11:05:28 -0800 

Hi Folks,
I'm working with a set of HAProxy backends (both 1.5 and 1.6 branch) and often one HAProxy will be relaying to another before arriving at the origin that will serve the request. 


Much of this traffic is HTTP but I am adding a channel for HTTPS as well,  
and using an SSL-enabled backend for HTTPS requests.



Let's say a request comes like this:  Client (browser) -> "Edge" (HAProxy)  
-> "Local" (HAProxy) -> Origin (apache, nginx, etc).  In this particular  
test, "Edge" is HAProxy 1.6.3, and "Local" is HAProxy 1.5.14



What I've found is that if I enable the "strict-sni" option on "Local",  
the health checks from "Edge" fail with 'reason: Layer6 invalid response,  
info: "SSL handshake failure", check duration: 8ms"'.  In the logs on  
"Local" I see "http/2: SSL handshake failure"


Initially I was using a backend declaration like this:

server hostname-ssl-01 IP:443 check-ssl ssl ca-file /path/to/ca/certs


Once I enabled strict-sni on the "Local" side, the health checks stopped  
working.  So, I added the verifyhost directive in the hopes of being able  
to specify the SNI host rather than depending on a default cert:



server hostname-ssl-01 IP:443 check-ssl ssl ca-file verifyhost  
www.hostname.com /path/to/ca/certs



Alas, I get the same SSL handshake error.  Is this not expected to work?   
I know I can do other things like use health checks from an HTTP backend,  
but I would both like to have SSL health checks on SSL ports, as well as  
turn off the default certificate by using strict-sni so that domains  
hosted without SSL certificates get a more appropriate error (unable to  
connect / no cert) instead of a message about a certificate that does not  
match when they are served the default cert.




Also, it's worth mentioning that verifyhost is working as expected, in  
that if it's specified on the server line, the SSL handshake will fail if  
the "Local" HAProxy server does not have a certificate installed for the  
domain in question.  So, this leads me to believe that SNI can and is used  
by the SSL-enabled server.


--
Best Regards,
Mark Staudinger

"Why DIY when you can NYI?"















    











					Reply via email to