Hi Kenneth, On Thu, Mar 14, 2013 at 06:59:08PM +0100, Kenneth Mutka wrote: > Hi, > > I have not tried with thousands of certificates, only some 20-30 or so, > using SNI. > My problem has been that every once in a while the default certificate is > served up, rather than the one for the requested domain. > > I have yet to find the cause of this behaviour, but it seems to have > something to do with latency in some sort of way, seeing as most of the > reports I get on the domains I do host come from locations, network-wise, > fairly far away.
I suspect that some clients fail to use SNI. I've already seen this from time to time. It looks like after some errors, they refrain from using SNI or even TLS at all and fall back to SSLv3. > As it stands, I wouldn't try serving up mission critical data over HAProxy > using the SNI features. Anyway nobody should use some development software in mission critical environments, eventhough we know many people do... Willy
