My backend server requires servername extension to be included during ClientHello message. I’m using transparent load balancing via HAProxy and it works, but health checks can run only in tcp mode. Enabling ssl-hello-check fails as no server name extension is provided and server closes connection without responding with ServerHello.
Following OpenSSL commands can be used to illustrate what I need:
openssl s_client -servername x.y.z -connect a.b.c.d:443 WORKS
openssl s_client -connect a.b.c.d:443 FAILS HANDSHAKE identically to HAProxy ssl-hello-check
What option shall I use in HAProxy to make it work? I’m using version 1.5.14