Jason Z. <jason@...> writes: > > At one point I had SSL termination (with multiple certificates) working in > haProxy (same version as in subject), however I noticed today that no matter > which site I accessed I was being returned the default certificate. > > During further troubleshooting, turning on 'strict-sni' indeed blocks all > SSL traffic (except for traffic bound to the same domain as the default > cert). > > I've made a few configuration changes today, thanks to the slew of various > SSL/haProxy articles, however no matter what change I've attempted the > results are the same. >
I believe I've figured out the error of my ways. I recently changed where I'm generating SSL keys, in order to push keys to a R/O mount for the FE server, letting a back-end server handle the security aspects. The openssl on the backend/generator system is 1.0.1-4ubuntu5.14, the openssl on the frontend/haproxy system is 1.0.1e-2+deb7u10 While they are both 1.0.1 branch versions (which would make me assume they're compatible), apparently they are not. I regenerated the keys on the frontend system, and all of the SNI functionality is once again working. Not nearly as secure as I would have hoped, and was aiming for, but functional is the first requirement.
