Are you *only* selecting based on SNI? I ask because our setup uses cookies as well, specifically to get around SNI issues (we store the cookie on normal HTTP as well as HTTPS, and use it as a fallback if SNI fails). If you have other things going on besides SNI, that could explain that behaviour.
-Robin On Fri, Feb 22, 2013 at 01:20:12PM +0100, Kenneth Mutka wrote: > Hi, > > As I mentioned in my original email - The problem is intermittent, i.e. it > works sometimes and other times not. And I do not mean with different > clients - A page refresh is sufficient for HAProxy to return the correct > certificate. > > All clients that connect use TLS1.1 and have support for SNI. > > > On Fri, Feb 22, 2013 at 1:15 PM, Jonathan Matthews > <[email protected]>wrote: > > > On 22 February 2013 08:29, Kenneth Mutka <[email protected]> wrote: > > > Hi, > > > > > > I'm having a bit of a problem with my certificates. I have about 15 > > separate > > > certificates, including the default one. Apart from listening to 443, I > > also > > > have a bunch of regular HTTP sites. > > > > > > Now, obviously I am using the SNI features here and most of the time it > > > works just as intended, but every now and then, highly intermittently, > > the > > > default certificate is being handed out instead of the correct one. > > > > Not all HTTP clients support SNI. I would strongly suspect you're > > handing out the default cert to clients that don't provide SNI hints. > > Other than moving to IP-per-SSL-site, I don't believe there's anything > > you can do to avoid this when you don't control the clients. > > > > Jonathan > > -- > > Jonathan Matthews // Oxford, London, UK > > http://www.jpluscplusm.com/contact.html > > > >
