HAProxy SNI SSL Question...

[CruisD64]

I'm trying to configure HAProxy to allow use of SNI for multiple host names. I've followed HAProxy's recommendation on how to configure SNI, however it always pulls the first cert listed in the config no matter what (startrek). I'm testing using OpenSSL which has supported SNI since 2007...

I'm using self signed certs for this. The odd thing is, Chrome pulls the right certs but openssl doesn't...

sample config below
-------------------------------------------------

frontend http-in
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/star_startrek_fb_lab.pem crt /etc/haproxy/certs/star_starwars_fb_lab.pem no-sslv3 ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+RC4+SHA:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256HE+aRSA+AES129+SHA:RC4+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

use_backend is_startrek if { ssl_fc_sni my.startrek.cruisd64.com }
use_backend is_starwars if { ssl_fc_sni my.starwars.cruisd64.com }

backend is_startrek
mode http
balance roundrobin
server server-1 192.168.1.100:5061 check

backend is_starwars
mode http
balance roundrobin
server server-1 192.168.1.100:5061 check

 

[Fint]

if one client works, but another doesn't, I would assume the issue is the non-working client.

 

[CruisD64]

if one client works, but another doesn't, I would assume the issue is the non-working client.

You have no idea what any of this means, do you

 

[4saken]

output of your openssl s_client -connect whatever:443 -servername star_trek or w/e? Also what do your logs say?

Havent really done any SNI with HAproxy but I do not see why that shouldnt work. frontend require mode http too ?

 

[CruisD64]

Logs don't reveal anything out of the ordinary. The only thing I can think of is that HAProxy is not properly "decrypting" the URL from the cert, but the browser makes me think otherwise...

I added "mode http" to the frontend but I'm not sure that matters. Behavior is the same...

 

[4saken]

Well definitely post back if you find the answer. Just for future reference. Your config looks like every other plain jane SNI as far as i can tell, and of course you already know that.