Hi Lukas, On 09/02/2018 03:31 PM, Lukas Tribus wrote: > Hello, > > > On Sat, 1 Sep 2018 at 20:49, Lukas Tribus <[email protected]> wrote: >>> I've confirmed the change in behavior only happens with an ECC >>> certificate, an RSA certificate is not affected. >> >> Just to confirm that this is still an actual problem with current >> haproxy and openssl 1.1.1pre9. >> >> You just have to use a ECC certificate instead of a RSA certificate, >> and it will fail with TLSv1.1 when strict-sni is enabled. > > Actually the problem is worse: SNI doesn't work *at all* with ECC > certificates in TLSv1.1 and TLSv1.0. It simply falls back to a > matching RSA certificate or the default-certificate. Of course, if > only the ECC certificate is there, and strict-sni is set, the > handshake is rejected.
Just to be sure, do you want to mean?: > only the ECC certificate is there, *OR* strict-sni is set, the > handshake is rejected. > Same exact behavior happens with boringssl as well (not only openssl 1.1.1). > > > Any help with this would be much appreciated. > We must go deeper, now the bug is more qualified. R, Emeric
