Hello, yesterday we are looking for the client-side SNI custom string for one of our clients and choose stunnel (as outbound TLS termination) for two reasons: 1) ability to send client certificate (client mode) 2) ability to send custom SNI header in client mode
We use haproxy as main L7 routers for years with a little bit of stunnel for client cert auth. Do you have any plans to add this features in 1.6? Thanks. /---/ */Best regards,/* /Eugene Istomin/ > On Mon, Aug 18, 2014 at 05:46:14PM +0200, Baptiste wrote: > > On Mon, Aug 18, 2014 at 2:40 PM, Willy Tarreau <[email protected]> wrote: > > > Hi Benedikt, > > > > > > On Mon, Aug 18, 2014 at 10:17:02AM +0200, Benedikt Fraunhofer wrote: > > >> Hello List, > > >> > > >> I'm trying to help an java6-app that can't connect to a server which > > >> seems to support SNI-only. > > >> > > >> I thought I could just add some frontend and backend stancas > > >> > > >> and include the sni-only server as a server in the backend-section like so: > > >> server a 1.2.3.4:443 ssl verify none force-tlsv12 > > >> > > >> (I had verify set, just removed it to keep it simple and rule it out) > > >> > > >> But it seems the server in question insists on SNI, whatever force-* I > > >> use and the connection is tcp-reset by the server (a) right after the > > >> Client-Hello from haproxy. > > >> > > >> Is there a way to specify the "TLS SNI field" haproxy should use for > > >> these outgoing connections? > > > > > > Not yet. We identified multiple needs for this field which a single > > > constant in the configuration will not solve. While some users will > > > only need a constant value (which seems to be your case), others > > > need to forward the SNI they got on the other side, or to build one > > > from a Host header field. > > > > > > So it's likely that we'll end up with a sample expression instead of > > > a constant. Additionally that means that for health checks we need an > > > extra setting (likely a constant this time). > > > > > > But for now, the whole solution is not designed yet, let alone > > > implented. > > Btw is this something you're actively looking at, to design/implement? > > People on the list should be able to provide feedback about the planned > expression to set the SNI field for client connections.. > > > regards, > > > Willy > > > > Hi, > > > > Microsoft Lync seems to have the same requirement for SNI... > > We need it in both traffic and health checks. > > OK, good to know. > > > Thanks, > > -- Pasi > > > Baptiste
