On 6 May 2017 2:04 am, "Kevin McArthur" <ke...@stormtide.ca> wrote:
When doing tls->haproxy->tls (bridged https) re-encryption with SNI, we need to verify the backend certificate against the SNI value requested by the client. Something like server options: server app1 app1.example.ca:443 ssl no-sslv3 sni ssl_fc_sni verify required verifyhost ssl_fc_sni However, the "verifyhost ssl_fc_sni" part doesn't work at current. Is there any chance I could get this support patched in? Most folks seem to be either ignoring the backend server validation, setting verify none, or are stripping tls altogether leaving a pretty big security hole. Care to elaborate why is this a security hole if the backend servers are in internal LAN which usually is the case when terminating ssl on the proxy? -- Kevin McArthur