Hi ,
I have IMAP servers which configure to work in TLS.
- I would like HAProxy to impelment SSL healthcheck to backend servers without
verifying the certificate . - I still would like IMAP client to perform SSL handshake before getting the imap banner
(greeting).
when i use “check ssl verify none” in the server line, IMAP client doesn’t require to perform SSL handshake get the banner without SSL handshake .
“check ssl verify none”:
root@t2-ngvm-proxy-au1 ~]# telnet 0 50443
Trying 0.0.0.0…
Connected to 0.
Escape character is ‘^]’.
- OK IMAP4 proxy ready (Multi Interface Supplementing Tunnel)
when i use “check verify none” (with out “ssl” string in the serve line) , IMAP client doesn’t get the banner and require to perform SSL handshake (as expected).
“check verify none” (with out ssl string in the server line):
[root@t2-ngvm-proxy-au1 ~]# telnet 0 50443
Trying 0.0.0.0…
Connected to 0.
Escape character is ‘^]’.
My questions are:
1.Which configuration is the proper one for my needs ?(seems like with out ssl string in the server line)
2.when using “check verify none” (with out “ssl” string in the serve line) , does HAProxy
still check SSL (healthcheck) and banner toward the back-end servers ?
see the configuration below:
listen HAProxy_VVM
log global
option tcplog
mode tcp
bind :50443 name S_SSL
balance roundrobin
option tcp-check
tcp-check connect port 50443 ssl
tcp-check expect string *\ OK
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000
server T004-vi-cas-au1 10.45.156.252 check verify none inter 30000
server T004-vi-cas-au2 10.45.156.253 check verify none inter 30000
Thanks !