On 3/25/2015 10:16 AM, Brandon wrote: > Hi, I am trying to deploy HAProxy in HTTP mode in front of a Windows > Server 2012 R2 ADFS 3.0 farm. In ADFS 3.0 backend servers require that > clients support SNI. > > In my testing it does not appear that HAProxy is sending the ServerName > extension in the TLS handshake and as a result I am receiving a "Bad > Gateway" error. The HAProxy logs just say "Connection error during SSL > handshake". I captured the traffic with wireshark and the ServerName TLS > extension is indeed missing and the ADFS server is sending a RESET > packet right after the SSL HELLO packet.
Haproxy 1.5 does support SNI, but in order for it to work, the version of openssl used must also support it. If you're running an old OS, it might not have that support. RHEL6 and its derivatives (like CentOS6) include openssl 0.9.8e, and I don't think that version has SNI ... the release notes seem to indicate that it was added to 0.9.8f, and improved in 0.9.8m. https://www.openssl.org/news/openssl-0.9.8-notes.html For best results with TLS, you'll want to be running a very new openssl version. Thanks, Shawn
