Check-ssl with SNI


#1

I have configured my https-front to route by domain
use_backend back1 if { req_ssl_sni -i back1 .com }
use_backend back2 if { req_ssl_sni -i back2 .com }

  • all working nicely once we told the iis-servers to require SNI

Now I want to configure the backend checks to check with SNI, but it keeps reporting ( layer6 invalid response: connection error during ssl handshake (connection reset by peer))

my config for backend is:
balance roundrobin
acl tls req.ssl_hello_type 1
option ssl-hello-chk
server srv1 1 .2 .3 .4:443 check check-ssl verify none sni str(back1 .com)
server srv2 1 .2 .3 .5 :443 check check-ssl verify none sni str(back1 .com)

  • I’ve tried with sni ssl_fc_sni, but same result.

I have compiled with ssl-support - host os is Centos 7, and haproxy version is 1.8.13
what am I doing wrong here?

To test connection I have tried ‘openssl s_client -connect 1 .2 .3 .4:443 - servername back1 .com’, and it connects perfectly well

I should probably mention that certifcates are valid and issued by GeoTrus Inc.


#2

Frontend decisions such as SNI routing don’t have anything todo with your backend requiring SNI. You may have come to the wrong conclusion here.

A part from the fact the you should set the flag to require SNI on the backend server, here is what’s wrong:

  • option ssl-hello-chk simulates a obsolete SSLv3 client_hello and must be removed
  • if your backend requires SNI and you are using SSL level health-check like you do, you also need to manually specify the SNI value used for the health check, otherwise haproxy does not have the information and the health-check fails. Use check-sni

#3

ok - the ssl-hello-chk was removed, and check-sni inserted, and now I get a very nice ‘layer 6 check passed’.
I am aware the frontend-routing has nothing to do with backend checks - it was just to say that the whole SNI part is enabled and working. - thanks a lot :slight_smile:


#4

Ok, good. I realized that I omitted a “not” above: I meant to say that you should NOT require SNI on your backend - because it only complicates everything.