Hi Lukas, > Le 2 sept. 2018 à 15:31, Lukas Tribus <lu...@ltri.eu> a écrit : > On Sat, 1 Sep 2018 at 20:49, Lukas Tribus <lu...@ltri.eu> wrote: >>> I've confirmed the change in behavior only happens with an ECC >>> certificate, an RSA certificate is not affected. >> >> Just to confirm that this is still an actual problem with current >> haproxy and openssl 1.1.1pre9. >> >> You just have to use a ECC certificate instead of a RSA certificate, >> and it will fail with TLSv1.1 when strict-sni is enabled. > > Actually the problem is worse: SNI doesn't work *at all* with ECC > certificates in TLSv1.1 and TLSv1.0. It simply falls back to a > matching RSA certificate or the default-certificate. Of course, if > only the ECC certificate is there, and strict-sni is set, the > handshake is rejected. > > Same exact behavior happens with boringssl as well (not only openssl 1.1.1). > > > Any help with this would be much appreciated. >
It’s in ssl_sock_switchctx_cbk for openssl 1.1.1/boringssl: /* without TLSEXT_TYPE_signature_algorithms extension (< TLS 1.2) */ has_ecdsa_sig is not enable -> no check for ECDSA cipher -> ECC certificate for TLS < 1.2 can’t be selected. strict-sni disable the default cert fallback, so handshake is rejected with no rsa certificate. Certificate selection must be changed to match this case (check for ECDSA cipher when TLS < 1.2). I can look at that. ++ Manu