Hi HAProxy list
We use an HAProxy 1.7.11 instance to terminate SSL and load balance
100+ websites.
The simplified bind line below specifies a default cert (i.e.
secure.example.com.pem) as required in this HAProxy version, and a
directory path to all other certs (i.e. ./):
bind 127.0.0.1:443 ssl crt secure.example.com.pem crt ./
This configuration works as expected. HAProxy finds all certs and the
correct one is used when TLS SNI extension is provided. For example,
visiting https://secure.example.com/ and https://www.example.com/
(with SNI capable web browser) both work perfectly.
The other day I inadvertently appended a trailing dot to the hostname
for one of our sites (e.g. https://www.example.com.), and when I did
this HAProxy returned the default cert to the browser rather than the
expected cert for that particular site. I'm not certain, but could
this be a possible bug in the HAProxy code that matches servername
provided by browser's TLS SNI extension against all loaded certificates?
As a further example of problem, I note that the issue can be
reproduced on the haproxy.org website as follows using OpenSSL client:
Works as expected, HAProxy returns correct cert for haproxy.org:
openssl s_client -connect www.haproxy.org:443 -servername www.haproxy.org
With trailing dot on servername, HAProxy returns what I think is the
default cert (an invalid StarrCom-issued cert for formilux.org):
openssl s_client -connect www.haproxy.org:443 -servername www.haproxy.org.
Please let me know if I should provide any further information.
Regards
Warren
