I will capture a wireshark. Do you want this running on my workstation that
doing the testing?
strict-sni seem to help.
Sorry I am not sure what this is. If you can let me know, I can get you the
info.
Can you tell if the wildcard hostname are in the CN or in the SAN field of
the certificate?
How do I use/test the workaround you mention below?
-----Original Message-----
From: Lukas Tribus
Sent: Saturday, March 28, 2015 8:24 PM
To: Peter BUtler ; [email protected] ; [email protected]
Subject: RE: HAProxy with multiple certificates, one of which being wild
card, and the other being sub of that wildcard
In fact, I am sure its a bug.
I also happen to have the following certs:
*.apps.mycompany.com.au
*.its.apps.mycompany.com.au
If I go to sitea.its.apps.mycompany.com.au, I get the
*.apps.mycompany.com.au certificate
The workaround in the meantime is to make sure haproxy
loads the more specific (longer) wildcard certificate before
the less specific certificate.
This should make it work until there's a fix for this.
