Author Topic: HAProxy no SNI (Read 87 times)

lfirewall1243 · « **on:** November 05, 2024, 07:45:00 pm »

Hello everyone,

at the moment I am trying to filter via SNI on HaProxy for my SMTPS and IMAPS connections.
Its all working fine when I select the default backend for SMTPS and IMAPS.

So I tried to create a condition where the SNI matches "smtp.mydomain.de" and "imap.mydomain.de".
Than no connection is possible.
The HAProxy is only in TCP Mode (working fine when default Backend is selected).

I already did a wireshark pcap on my WAN Interface, where the HAProxy is listening. The first TLS package show thats the SNI is set correctly "Client Hello (SNI=smtp.mydomain.de)".
So seems like HAProxy isn't respecting the SNI.

All Updates are installed.

Maybe anyone has an idea.

meyergru · « **Reply #1 on:** November 05, 2024, 07:50:59 pm »

Did you use ssl_fc_sni, instead of req.ssl_sni? The latter only works with TLS, not with TCP.

lfirewall1243 · « **Reply #2 on:** November 05, 2024, 07:55:55 pm »

Thanks for the reply.

I already enabled strict_sni in my frontend. After that a connection from Apple Mail is working, but thunderbird and other clients not

lfirewall1243 · « **Reply #3 on:** November 05, 2024, 08:04:46 pm »

Ah found it. Seems to work now.

Thank you a lot!

Author Topic: HAProxy no SNI (Read 87 times)

lfirewall1243

HAProxy no SNI

meyergru

Re: HAProxy no SNI

lfirewall1243

Re: HAProxy no SNI

lfirewall1243

Re: HAProxy no SNI