On Mon, Aug 18, 2014 at 2:40 PM, Willy Tarreau <[email protected]> wrote: > Hi Benedikt, > > On Mon, Aug 18, 2014 at 10:17:02AM +0200, Benedikt Fraunhofer wrote: >> Hello List, >> >> I'm trying to help an java6-app that can't connect to a server which >> seems to support SNI-only. >> >> I thought I could just add some frontend and backend stancas >> and include the sni-only server as a server in the backend-section like so: >> >> server a 1.2.3.4:443 ssl verify none force-tlsv12 >> >> (I had verify set, just removed it to keep it simple and rule it out) >> >> But it seems the server in question insists on SNI, whatever force-* I >> use and the connection is tcp-reset by the server (a) right after the >> Client-Hello from haproxy. >> >> Is there a way to specify the "TLS SNI field" haproxy should use for >> these outgoing connections? > > Not yet. We identified multiple needs for this field which a single > constant in the configuration will not solve. While some users will > only need a constant value (which seems to be your case), others > need to forward the SNI they got on the other side, or to build one > from a Host header field. > > So it's likely that we'll end up with a sample expression instead of > a constant. Additionally that means that for health checks we need an > extra setting (likely a constant this time). > > But for now, the whole solution is not designed yet, let alone implented. > > regards, > Willy > >
Hi, Microsoft Lync seems to have the same requirement for SNI... We need it in both traffic and health checks. Baptiste
