HAProxy no SNI

Started by lfirewall1243, November 05, 2024, 07:45:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 05, 2024, 07:45:00 PM
Hello everyone,

at the moment I am trying to filter via SNI on HaProxy for my SMTPS and IMAPS connections.
Its all working fine when I select the default backend for SMTPS and IMAPS.

So I tried to create a condition where the SNI matches "smtp.mydomain.de" and "imap.mydomain.de".
Than no connection is possible.
The HAProxy is only in TCP Mode (working fine when default Backend is selected).

I already did a wireshark pcap on my WAN Interface, where the HAProxy is listening. The first TLS package show thats the SNI is set correctly "Client Hello (SNI=smtp.mydomain.de)".
So seems like HAProxy isn't respecting the SNI.

All Updates are installed.


Maybe anyone has an idea.
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
November 05, 2024, 07:50:59 PM #1
Did you use ssl_fc_sni, instead of req.ssl_sni? The latter only works with TLS, not with TCP.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 05, 2024, 07:55:55 PM #2
Thanks for the reply.

I already enabled strict_sni in my frontend. After that a connection from Apple Mail is working, but thunderbird and other clients not
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
November 05, 2024, 08:04:46 PM #3
Ah found it. Seems to work now.

Thank you a lot!
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
Print
Go Up Pages1
User actions