Lukas,
Excellent analysis there!
As of this morning, I have removed the no-tlsv10 option from the bind and
asked folks to report back if they are still seeing the default certificate
when they are not supposed to.
The extended logging is also enabled. If I do get these errors again, I
will
I suspect that some clients fail to use SNI. I've already seen
this from time to time. It looks like after some errors, they
refrain from using SNI or even TLS at all and fall back to SSLv3.
This scared my a bit, so I've done some digging.
I've found 2 related bug reports with a lot of
On Fri, Mar 15, 2013 at 11:35:01PM +0100, Lukas Tribus wrote:
I suspect that some clients fail to use SNI. I've already seen
this from time to time. It looks like after some errors, they
refrain from using SNI or even TLS at all and fall back to SSLv3.
This scared my a bit, so I've done
On 22 February 2013 08:29, Kenneth Mutka slay...@gmail.com wrote:
Hi,
I'm having a bit of a problem with my certificates. I have about 15 separate
certificates, including the default one. Apart from listening to 443, I also
have a bunch of regular HTTP sites.
Now, obviously I am using the
Hi,
As I mentioned in my original email - The problem is intermittent, i.e. it
works sometimes and other times not. And I do not mean with different
clients - A page refresh is sufficient for HAProxy to return the correct
certificate.
All clients that connect use TLS1.1 and have support for SNI.
If you upgrade to a recent snapshot you can use the strict-sni feature [1].
This way, when the client doesn't provide SNI, the handshake is aborted.
I think this is important even when your clients are supposed to support SNI;
the client may be buggy or the SNI detection in haproxy -
Are you *only* selecting based on SNI? I ask because our setup uses
cookies as well, specifically to get around SNI issues (we store the
cookie on normal HTTP as well as HTTPS, and use it as a fallback if
SNI fails). If you have other things going on besides SNI, that
could explain that
7 matches
Mail list logo