Its not supported the way you use it. They sequence of keywords in the bind configuration line is irrelevant.
For example, specifying strict-sni twice doesn’t make any difference, its not a per certificate configuration.
And that is also valid for the client certificate authentication, so if you specify it, you are enabling it for everything.
Workarounds:
- use a different IP or port for each cert (so it is a different bind line and you can therefor apply the configuration you need on a per certificate/“bind” basis)
- if you need everything on a single IP:port combination, the only way to achieve this currently with haproxy is to configure the frontend as TCP mode without any SSL and switching to different TCP backends based on SNI values and then configure those TCP backends to point to dedicated SSL frontends, where you have a different SSL configuration (with and without client certificates). You can use unix sockets or linux abstrace namespace sockets, instead of using the loopback TCP stack.
Thats a complicated setup, but it is the only way if you need full per certificate flexibility on a single IP:port combination.
For details see those 3 links:
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-bind
http://www.serverphorums.com/read.php?10,967239
There is a proposal to fix this properly, however it is in development and it could take some time until this is implemented and made its way to a stable haproxy release:
https://www.mail-archive.com/haproxy@formilux.org/msg23747.html