Thank you for your help.
I have tested without CRL files and I don’t have no further information in logs about the customer certificate presented.
The more global problem we’re facing is that we have some partners who connect with client certificates and others who don’t. We therefore set up an https frontend with optional verification of the client certificates presented. However, it seems that some client software programs don’t understand the optional certificate presentation parameter correctly, and the connection fails.
To get around the problem, here’s the solution we’ve come up with (loop inside HAProxy):
frontend tcp-443
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# App1 is not protected by client cert
acl sni_prodroc req_ssl_sni -i app1-without-client-cert.mydomain.com
use_backend dummy_backend_without_client_cert if app1-without-client-cert.mydomain.com
# App2 is protected by client cert
acl sni_prodroc req_ssl_sni -i app1-with-client-cert.mydomain.com
use_backend dummy_backend_with_client_cert if app2-with-client-cert.mydomain.com
backend dummy_backend_without_client_cert
mode tcp
server dummy_frontend_without_client_cert 127.0.0.1:5401 send-proxy
frontend dummy_frontend_without_client_cert
bind 127.0.0.1:5401 accept-proxy ssl crt /ssl/app1-without-client-cert.mydomain.com strict-sni
mode http
option forwardfor
use_backend backend_app1
backend backend_app1
mode http
server myapp1server 192.168.1.10:8080
backend dummy_backend_with_client_cert
mode tcp
server dummy_frontend_with_client_cert 127.0.0.1:5402 send-proxy
frontend dummy_frontend_with_client_cert
bind 127.0.0.1:5402 accept-proxy ssl crt /ssl/app2-with-client-cert.mydomain.com strict-sni ca-file /ssl/trusted_client_ca.pem verify required
mode http
option forwardfor
use_backend backend_app2
backend backend_app2
mode http
server myapp2server 192.168.1.20:8080
Hope it helps people