TLS ServerName extension during ssl-hello-chk

jnitecki · November 7, 2016, 10:30pm

Hello,

My backend server requires servername extension to be included during ClientHello message. I’m using transparent load balancing via HAProxy and it works, but health checks can run only in tcp mode. Enabling ssl-hello-check fails as no server name extension is provided and server closes connection without responding with ServerHello.

Following OpenSSL commands can be used to illustrate what I need:
openssl s_client -servername x.y.z -connect a.b.c.d:443 WORKS
openssl s_client -connect a.b.c.d:443 FAILS HANDSHAKE identically to HAProxy ssl-hello-check

What option shall I use in HAProxy to make it work? I’m using version 1.5.14

Jan

lukastribus · November 21, 2016, 5:53pm

In haproxy 1.6 release we can send a certain SNI value, but not when health checking:

You will have to use an external check for this:
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#external-check%20(Process%20management%20and%20security)

rgacote · November 21, 2016, 6:22pm

Thanks for the update on this.
I look forward to exploring the external health check functionality.

Topic		Replies	Views
Check-ssl with SNI Help!	3	6891	September 3, 2018
Configuration does not work when tested with openssl without servername Help!	6	1257	May 27, 2018
Create SSL connection to backend Help!	1	318	November 29, 2022
HAProxy 1.6, Backend SNI not working in my implementation Help!	2	3542	June 12, 2016
L6RSP health-check error on the SSL-backend Help!	10	12972	January 21, 2021

TLS ServerName extension during ssl-hello-chk

Related topics