Hi Benedikt, On Mon, Aug 18, 2014 at 10:17:02AM +0200, Benedikt Fraunhofer wrote: > Hello List, > > I'm trying to help an java6-app that can't connect to a server which > seems to support SNI-only. > > I thought I could just add some frontend and backend stancas > and include the sni-only server as a server in the backend-section like so: > > server a 1.2.3.4:443 ssl verify none force-tlsv12 > > (I had verify set, just removed it to keep it simple and rule it out) > > But it seems the server in question insists on SNI, whatever force-* I > use and the connection is tcp-reset by the server (a) right after the > Client-Hello from haproxy. > > Is there a way to specify the "TLS SNI field" haproxy should use for > these outgoing connections?
Not yet. We identified multiple needs for this field which a single constant in the configuration will not solve. While some users will only need a constant value (which seems to be your case), others need to forward the SNI they got on the other side, or to build one from a Host header field. So it's likely that we'll end up with a sample expression instead of a constant. Additionally that means that for health checks we need an extra setting (likely a constant this time). But for now, the whole solution is not designed yet, let alone implented. regards, Willy
