Hi Kevin, On Fri, Jul 21, 2017 at 02:06:52PM -0700, Kevin McArthur wrote: > Further... the odd/broken behavior might be being caused related to no sni > indication on the health checks... > > This config sort of works: > > > *server app2 ssltest.example.ca:443 ssl verify required /verifyhost > ssltest.example.ca/ sni ssl_fc_sni ca-file > /etc/ssl/certs/ca-certificates.crt check check-ssl* > > This lets me load ssltest.example.ca via the proxy. > > > *server app2 anotherdomain.example.ca:443 ssl verify required /verifyhost > anotherdomain.example.ca/ sni ssl_fc_sni ca-file > /etc/ssl/certs/ca-certificates.crt check check-ssl* > > Jul 21 20:57:55 haproxy1 haproxy[8371]: Health check for server > www-backend-https/app2 failed, reason: Layer6 invalid response, info: "SSL > handshake failure", check duration: 3ms, status: 0/2 DOWN. > > Fails health check (no sni) verifyhost match (anotherdomain.example.ca isnt > the default on the backend server). So ends up in "No server is available to > handle this request." > > > *server app2 ssltest.example.ca:443 ssl verify required /verifyhost > ssl_fc_sni/ sni ssl_fc_sni ca-file /etc/ssl/certs/ca-certificates.crt check > check-ssl* > > Jul 21 20:57:55 haproxy1 haproxy[8371]: Health check for server > www-backend-https/app2 failed, reason: Layer6 invalid response, info: "SSL > handshake failure", check duration: 3ms, status: 0/2 DOWN. > > This fails health check. > > > *server app2 ssltest.example.ca:443 ssl verify required sni ssl_fc_sni > ca-file /etc/ssl/certs/ca-certificates.crt check check-ssl* > > This works, but without verifying the host properly. Can load > anotherdomain.example.ca and the sni is passed along properly. > > > Perhaps its the host checks sni support and not this patch that are not > working correctly?
The "verifyhost" directive *forces* the host name to be checked and ignores the SNI. By just removing it from your "server" lines, it must be OK. Your last example above suggests it works. Why do you say that the host is not properly verified ? Have you checked that you can connect to a server presenting the wrong cert ? For me it refuses it and only accepts the correct cert (the one having the same name as asked in the SNI). Willy
