> I will capture a wireshark. Do you want this running on my workstation that > doing the testing?
Doesn't matter where, as long it captures the complete TCP session (tcpdump -s0, to avoid truncating the packets) from a ok and from a failed session. > strict-sni seem to help. Not yet sure why, but it is an important information. > Sorry I am not sure what this is. If you can let me know, I can get you the > info. > Can you tell if the wildcard hostname are in the CN or in the SAN field of > the certificate? You browser will show those informations when you click on certificate details. One of them is the CN (Common Name) value, which is the classic hostname used to verify the certificate, and SAN (subject alternative name) is another field that can contain multiple hostnames: http://en.wikipedia.org/wiki/SubjectAltName > How do I use/test the workaround you mention below? The "*.its.apps.mycompany.com.au" certificate should be loaded before "*.apps.mycompany.com.au". You can do this by renaming them appropriately (if you are using haproxy 1.5.11). Also, please provide the output of haproxy -vv (not -v, double v). Thanks, Lukas
