On Fri, Oct 10, 2014 at 07:21:04AM +0200, Willy Tarreau wrote: > Hello Eugene, > > On Fri, Oct 10, 2014 at 08:13:43AM +0300, Eugene Istomin wrote: > > Hello, > > > > yesterday we are looking for the client-side SNI custom string for one of > > our clients and choose stunnel (as outbound TLS termination) for two > > reasons: > > 1) ability to send client certificate (client mode) > > 2) ability to send custom SNI header in client mode > > > > We use haproxy as main L7 routers for years with a little bit of stunnel > > for > > client cert auth. > > Do you have any plans to add this features in 1.6? > > It is already possible to send the client certificate, you just have > to specify "crt <cert>" on the server line. There are some ongoing > discussions about SNI. We all want to have it but want to ensure we're > doing it correctly. Most users want to have a dynamic one, at least being > able to retrieve the one from the other side, and possibly extract it > from a Host header. And of course also from a static string. We're just > trying to find the best way to configure this so that it's easy for all > users. > > I personally think that a sample expression would be appropriate, just > as for the "usesrc" keyword (which is currently limited). I'd rather > avoid the ugly logformat string at this point since I don't think we > need this complexity. > > If you have any opinion on the subject, please voice in! >
Hey, As long as the client side SNI is dynamic/configurable, I'm happy. All the scenarios you described above are valid (retrieve from the other side, extract from Host header, static string). > Best regards, > Willy > Thanks, -- Pasi
