Hi Warren, As far as I know this is by design. If you do not want this behavior you need to use strict-sni in your bind statement.
Regards Sander > On 27 Jul 2018, at 12:47, Warren Rohner <[email protected]> wrote: > > Hi HAProxy list > > Just thought I'd resend this report from May in case it was missed. If it's a > non-issue, I apologise. > > Regards > Warren > > At 15:47 2018/05/22, Warren Rohner wrote: >> Hi HAProxy list >> >> We use an HAProxy 1.7.11 instance to terminate SSL and load balance 100+ >> websites. >> >> The simplified bind line below specifies a default cert (i.e. >> secure.example.com.pem) as required in this HAProxy version, and a directory >> path to all other certs (i.e. ./): >> >> bind 127.0.0.1:443 ssl crt secure.example.com.pem crt ./ >> >> This configuration works as expected. HAProxy finds all certs and the >> correct one is used when TLS SNI extension is provided. For example, >> visiting https://secure.example.com/ and https://www.example.com/ (with SNI >> capable web browser) both work perfectly. >> >> The other day I inadvertently appended a trailing dot to the hostname for >> one of our sites (e.g. https://www.example.com.), and when I did this >> HAProxy returned the default cert to the browser rather than the expected >> cert for that particular site. I'm not certain, but could this be a possible >> bug in the HAProxy code that matches servername provided by browser's TLS >> SNI extension against all loaded certificates? >> >> As a further example of problem, I note that the issue can be reproduced on >> the haproxy.org website as follows using OpenSSL client: >> >> Works as expected, HAProxy returns correct cert for haproxy.org: >> openssl s_client -connect www.haproxy.org:443 -servername www.haproxy.org >> >> With trailing dot on servername, HAProxy returns what I think is the default >> cert (an invalid StarrCom-issued cert for formilux.org): >> openssl s_client -connect www.haproxy.org:443 -servername www.haproxy.org . >> >> Please let me know if I should provide any further information. >> >> Regards >> Warren
