I think somethings missing here; the check system doesn't seem to be
sending the SNI or validating the result.
If I do a backend line like:
server app2 internal.app2.example.ca:443 ssl verify required sni
ssl_fc_sni ca-file /etc/ssl/certs/ca-certificates.crt check check-ssl
This works fine, but my server has no tls cert for
internal.app2.example.ca and the checks still pass verify. The server
side of things tells me the SNI never gets sent on the check connection,
hits the default cert (app2, no internal). Could be the same
null/default pathway?
--
Kevin
On 2017-07-28 9:41 AM, Willy Tarreau wrote:
On Fri, Jul 28, 2017 at 08:45:37AM -0700, Kevin McArthur wrote:
Sounds good Willy, where did we leave the issue of the SNI,
verifypeer/verifyhost validation and the checks subsystem?
the checks are now covered by verifyhost as they used to, that
was the main purpose.
Willy