How to analyse SNI support by client base


#1

We are using HaProxy in front of a webserver farm for many different domains which are all delivered over HTTPS, HaProxy is running in http mode.

As we started many years ago where SNI was not yet supported by IE and a few other platforms, we decided to get individual IP addresses for each SSL certificate. But we’re adding mor SSL certs regularely and now consider to expect SNI to be supported widely enough so that we could combine many certs on a single IP address.

It sounds like only Windows XP is being left out and still present. But we would also like to analyse our own traffic to see how many clients were still connecting to our farm not supporting SNI.

Is there an easy way to analyse live traffic for SNI support without interrupting the operations?


#2

Sure, SNI is accessible via the ssl_fc_sni variable.

You can log it, you can put it into a HTTP header … whatever you like.


#3

So if my current log format looks like

log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r

how can I add that extra field to it?


#4

Try:

%[ssl_fc_sni]


#5

This is almost too easy :slight_smile: