On 23 July 2014 09:53, Martin van Diemen <[email protected]> wrote: > Hi, > > I'm using multiple certificates for haproxy. All certificates are places in > one folder and this works great when using a webbrowser. [snip] > When I run "openssl s_client -connect subdomain.domain.tld:443" I get the > wrong certificate. [snip] > I can not figure out why the wrong certificate is returned. Maybe someone > could help me. Maybe this is a bug in haproxy?
No; your problem is twofold: 1) You're expecting the s_client tool to do more, automatically, than it actually does. Have a look here: http://rt.openssl.org/Ticket/Display.html?id=2548&user=guest&pass=guest 2) The *only* reason your setup works in the browser is because you are using one which supports SNI. Read the wikipedia page for a decent summary of it: http://en.wikipedia.org/wiki/Server_Name_Indication. Note this paragraph: "Users whose browsers do not support SNI will be presented with a default certificate and hence are likely to receive certificate warnings, unless the server is equipped with a wildcard certificate that matches the name of the website." You have 3 options to solve this for your users, as far as I'm aware: a) use SNI b) allocate a separate IP for each HTTPS site you're hosting c) use a wildcard or UCC/SAN certificate. HTH, Jonathan
