Hello Emeric,
On 22 May 2018 at 14:44, Emeric Brun <[email protected]> wrote: > Hi Lukas, > > I've just made some tests using openssl-1.1.1-pre6 and can't reproduce the > issue. > > here my simple configuration: > frontend my > mode http > bind :443 ssl crt default strict-sni > redirect location / > > (default certificate CN is aloha) > > I've tested with openssl-1.1.1-pre6 as client without issue (same thing with > 1.0.2g) > > openssl s_client -connect 10.0.3.168:443 -tls1_1 -servername aloha > HS => OK > openssl s_client -connect 10.0.3.168:443 -tls1 -servername aloha > HS => OK > openssl s_client -connect 10.0.3.168:443 -tls1 -servername foobar > HS => KO > > My haproxy sources are latest 1.8 + some backports from dev branch > > Do you have any specific parameter related to ssl in your global section? I have this in the global section: ssl-server-verify none tune.ssl.default-dh-param 2048 And I am compiling openssl 1.1.1 with: ./config --prefix=/home/lukas/libsslbuild/ no-shared enable-ec_nistp_64_gcc_128 enable-weak-ssl-ciphers The certificate is NOT a RSA certificate, but a ECC certificate (prime256v1, from Let's Encrypt, see https://crt.sh/?id=474207449) Unsure if/what is triggering the behavior that is not present on your side. thanks, Lukas
