SNI identifies the requested virtualhost and find in your config the configured certificate, in your attached messages I don't see where you load the virtualhost (just the server IP) header with openssl s_client
try with openssl s_client -connect www.mydoamin.com:443 <http://192.168.33.10:443/> And force to resolv www.mydomain.com the pound IP (192.168.11.10). Regards! 2016-04-20 7:51 GMT+02:00 gojrzan <gojr...@poczta.onet.pl>: > Hi, > > tl;dr: Does pound support SNI-enabled HTTPS backends? > > > I have pound working fine terminating HTTPS and passing it to HTTP > backends, but I need to add another service which uses HTTPS on its own. So > I've added: > > ListenHTTPS > HeadRemove "X-Forwarded-Proto" > HeadRemove "X-Forwarded-For" > AddHeader "X-Forwarded-Proto: https" > Cert "/etc/ssl/private/wildcard-keycert_bundle.pem" > Address 192.168.11.10 > Port 443 > > Service > HeadRequire "Host: .*www.domain.com.*" > > BackEnd > Address 192.168.33.9 > Port 443 > HTTPS > End > > BackEnd > Address 192.168.33.10 > Port 443 > HTTPS > End > > End > End > > But the browser only gets 'The service is not available. Please try again > later.' while syslog on pound host only logs: > > pound: BIO_do_handshake with 192.168.33.10:443 failed: > error:00000000:lib(0):func(0):reason(0) > > > The BackEnd is Microsoft's Web Application Proxy which I don't have direct > access to, so can't check its running config nor logs, but I think its > SNI-enabled because: > > If I curl it using it's name I get what I expect, when I only use its IP: > curl -kiv https://192.168.33.10 > * Rebuilt URL to: https://192.168.33.10/ > * Hostname was NOT found in DNS cache > * Trying 192.168.33.10... > * Connected to 192.168.33.10 (192.168.33.10) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: none > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * Unknown SSL protocol error in connection to 192.168.33.10:443 > * Closing connection 0 > curl: (35) Unknown SSL protocol error in connection to 192.168.33.10:443 > > > same goes for when using openssl s_client without -servername param set: > > openssl s_client -connect 192.168.33.10:443 > CONNECTED(00000003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 295 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > while with proper name s_client connects and certs get verified correctly. > > > Does anyone use pound with SNI backends? > If it's not supported yet, is it on the roadmap? > > It seems my only option is to reconfigure WAP so it serves the site I'm > interested in to be the default when SNI is not presented. > > Thanks > Grzegorz > > P.S > It's my first post on this mailing list so please be gentle :) > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- Load balancer distribution - Open Source Project http://www.zenloadbalancer.com Distribution list (subscribe): zenloadbalancer-supp...@lists.sourceforge.net
