Hi, As I mentioned in my original email - The problem is intermittent, i.e. it works sometimes and other times not. And I do not mean with different clients - A page refresh is sufficient for HAProxy to return the correct certificate.
All clients that connect use TLS1.1 and have support for SNI. On Fri, Feb 22, 2013 at 1:15 PM, Jonathan Matthews <[email protected]>wrote: > On 22 February 2013 08:29, Kenneth Mutka <[email protected]> wrote: > > Hi, > > > > I'm having a bit of a problem with my certificates. I have about 15 > separate > > certificates, including the default one. Apart from listening to 443, I > also > > have a bunch of regular HTTP sites. > > > > Now, obviously I am using the SNI features here and most of the time it > > works just as intended, but every now and then, highly intermittently, > the > > default certificate is being handed out instead of the correct one. > > Not all HTTP clients support SNI. I would strongly suspect you're > handing out the default cert to clients that don't provide SNI hints. > Other than moving to IP-per-SSL-site, I don't believe there's anything > you can do to avoid this when you don't control the clients. > > Jonathan > -- > Jonathan Matthews // Oxford, London, UK > http://www.jpluscplusm.com/contact.html > >
