I'm having an issue while trying to serve SCT TLS extensions in a 2 certificates scenario.
I'm using HA-Proxy version 1.7.1 with static OpenSSL 1.1.0c. Certificates: file www.domain.tld.pem - Subject: CN=domain.tld - Subject Alternative Name: DNS:domain.tld, DNS:www.domain.tld file xxx.domain.tld.pem - Subject: CN=xxx.domain.tld - Subject Alternative Name: DNS:xxx.domain.tld For each .pem file the respective .sctl file also exists (www.domain.tld.pem.sctl, xxx.domain.tld.pem.sctl). When connecting, I receive the SCT TLS extension only for the first hostname listed in the "bind ... crt" config statement, regardless of what it is. So... bind a.b.c.d:443 crt ./www.domain.tld.pem crt ./xxx.domain.tld.pem $ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername www.domain.tld $ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername xxx.domain.tld ... gives me the TLS extension only for www.domain.tld. If I flip the two "crt" files... bind a.b.c.d:443 crt ./xxx.domain.tld.pem crt ./www.domain.tld.pem $ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername www.domain.tld $ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername xxx.domain.tld ... I get the SCT TLS extension for xxx.domain.tld but not for www.domain.tld. What am I doing wrong? Thanks, -- Pier Carlo Chiodi
