On Mon, Aug 18, 2014 at 05:46:14PM +0200, Baptiste wrote: > On Mon, Aug 18, 2014 at 2:40 PM, Willy Tarreau <[email protected]> wrote: > > Hi Benedikt, > > > > On Mon, Aug 18, 2014 at 10:17:02AM +0200, Benedikt Fraunhofer wrote: > >> Hello List, > >> > >> I'm trying to help an java6-app that can't connect to a server which > >> seems to support SNI-only. > >> > >> I thought I could just add some frontend and backend stancas > >> and include the sni-only server as a server in the backend-section like so: > >> > >> server a 1.2.3.4:443 ssl verify none force-tlsv12 > >> > >> (I had verify set, just removed it to keep it simple and rule it out) > >> > >> But it seems the server in question insists on SNI, whatever force-* I > >> use and the connection is tcp-reset by the server (a) right after the > >> Client-Hello from haproxy. > >> > >> Is there a way to specify the "TLS SNI field" haproxy should use for > >> these outgoing connections? > > > > Not yet. We identified multiple needs for this field which a single > > constant in the configuration will not solve. While some users will > > only need a constant value (which seems to be your case), others > > need to forward the SNI they got on the other side, or to build one > > from a Host header field. > > > > So it's likely that we'll end up with a sample expression instead of > > a constant. Additionally that means that for health checks we need an > > extra setting (likely a constant this time). > > > > But for now, the whole solution is not designed yet, let alone implented. > >
Btw is this something you're actively looking at, to design/implement? People on the list should be able to provide feedback about the planned expression to set the SNI field for client connections.. > > regards, > > Willy > > > > Hi, > > Microsoft Lync seems to have the same requirement for SNI... > We need it in both traffic and health checks. > OK, good to know. Thanks, -- Pasi > Baptiste >
