Jarno, Thank you your suggestion for setting the default ADFS certificate worked!
On Thu, Mar 26, 2015 at 12:44 AM, Jarno Huuskonen <[email protected]> wrote: > Hi, > > On Wed, Mar 25, Shawn Heisey wrote: > > On 3/25/2015 10:16 AM, Brandon wrote: > > > Hi, I am trying to deploy HAProxy in HTTP mode in front of a Windows > > > Server 2012 R2 ADFS 3.0 farm. In ADFS 3.0 backend servers require that > > > clients support SNI. > > > > > > In my testing it does not appear that HAProxy is sending the ServerName > > > extension in the TLS handshake and as a result I am receiving a "Bad > > > Gateway" error. The HAProxy logs just say "Connection error during SSL > > > handshake". I captured the traffic with wireshark and the ServerName > TLS > > > extension is indeed missing and the ADFS server is sending a RESET > > > packet right after the SSL HELLO packet. > > Do any of the force-tls10, force-tls11 or force-tls12 (or no-sslv3) > make any difference ? > > > Haproxy 1.5 does support SNI, but in order for it to work, the version > > of openssl used must also support it. If you're running an old OS, it > > might not have that support. RHEL6 and its derivatives (like CentOS6) > > include openssl 0.9.8e, and I don't think that version has SNI ... the > > CentOS6 (6.6) comes with openssl 1.0.1e, but it also has compatibility > package: > openssl098e. (haproxy -vv should show what version you're using). > > It should be possible to configure ADFS not to require SNI(=add default > binding), we're testing netscaler as adfs proxy (netscaler doesn't suppot > SNI on backend). And the default binding seems to work. > (For example: http://jesperstahle.azurewebsites.net/?p=1382) > > -Jarno > > -- > Jarno Huuskonen > >
