TLS ServerName extension during ssl-hello-chk


#1

Hello,

My backend server requires servername extension to be included during ClientHello message. I’m using transparent load balancing via HAProxy and it works, but health checks can run only in tcp mode. Enabling ssl-hello-check fails as no server name extension is provided and server closes connection without responding with ServerHello.

Following OpenSSL commands can be used to illustrate what I need:
openssl s_client -servername x.y.z -connect a.b.c.d:443 WORKS
openssl s_client -connect a.b.c.d:443 FAILS HANDSHAKE identically to HAProxy ssl-hello-check

What option shall I use in HAProxy to make it work? I’m using version 1.5.14

Jan


#2

In haproxy 1.6 release we can send a certain SNI value, but not when health checking:

You will have to use an external check for this:
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#external-check%20(Process%20management%20and%20security)


#3

Thanks for the update on this.
I look forward to exploring the external health check functionality.