Hi Lukas,
great intuition :)
---
CONNECTED(00000003)
TLS server extension "server name" (id=0), len=0
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02 ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "status request" (id=5), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01 .
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.makeprestashop.com
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F
Produced At: Jul 20 16:42:53 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
Serial Number: 11210839AC1CC2D1DC09BA07A33700E3E681
Cert Status: good
This Update: Jul 20 16:42:53 2015 GMT
Next Update: Jul 21 04:42:53 2015 GMT
[...]
---
It works locally or remotely !
Regards,
On Mon, 20 Jul 2015 17:42:03 +0200,
Lukas Tribus <[email protected]> wrote :
> > Hi Lukas,
> >
> > frontend cluster:443
> > bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt
> > /home/provisionning/cluster.d
> > default_backend cluster
> > capture request header Host len 255
>
> Can you confirm there is no SSL intercepting device in front of the
> webserver, like
> hardware firewalls/UTM and whatnot?
>
> Could you try with just a single certificate (single crt config pointing to a
> single certificate file, not a
> directory)?
>
> Can you make the openssl tests from the server, connecting locally without
> any intermediate
> devices?
>
>
>
> Thanks,
>
> Lukas
>
>
--
Marc-Antoine
