SNI unrecognized_name warning when terminating TLS at HAProxy

Question

We have a client whose code was written in Java 1.7. Java 1.7 by default refuses to connect via HTTPS to servers who return an SNI unrecognized_name warning. It's possible to turn off this behavior, but (of course) our client can't do that. Most other clients just ignore the warning.

We have a valid wildcard certificate for our domain, let's call it *.widgets.com. Anything in the domain widgets.com resolves to our HAProxy load balancer. We've installed that cert onto the load balancer, and we specify it in the front-end that listens on port 443. The cert is current and checks out fine when we test it from Qualys... except for that SNI warning.

Our client makes a call to a specific subdomain, say foo.widgets.com. The service is working fine, serving up content to anyone who calls it. Except for our client, of course, who won't connect to us after we return the SNI warning.

I've found lots of articles about how to solve this problem on Apache, but those don't help me with HAProxy. On HAProxy, I see that I can specify more than one cert, and I am told that HAProxy will "choose the right one". Do I need to get a separate, non-wildcard cert for foo.widgets.com? I don't want to buy another cert only to find out that that was not the solution.

Answer 1

Turns out the problem had little to do with HAProxy. Apparently we had an intrusion detection system in place that would terminate TLS prior to relaying down to HAProxy.

There is probably a way to make the IDS behave properly, presenting the correct certificate to the client. But we don't really need IDS on our non-prod environments, anyway. So we left it switched off, and the problem went away.

So if you're having a similar issue, after making sure that your certificate is good for the request you're testing, my advice would be to check whether you have any security software that could intercept traffic before it reaches your LB.