On Mon, Nov 02, 2015 at 11:09:53AM +1000, Matt Bryant wrote:
> For legacy reasons need to support smtps on port 465 and whilst exim
> supports SNI, and indeed have that working atm, am now trying to put it
> behind the HAProxy LB ... which is where things are going pear shape.. is
> this even possible ??? or would I need to terminate SSL on haproxy then just
> proxy on to backend ???
>
> TLS error on connection from [x.x.x.x] (SSL_accept): error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>
> I dont need to route SSL just want everything to go to same server and
> haproxy to forward on the SNI information so that exim can pick up on it ..
> or am i totally off base here ????
Funny you should mention this, the same issue (HA proxy with TLS
wrapper mode on port 465) was quite recently addressed in Postfix,
so it is now somewhat better understood:
http://postfix.1071664.n5.nabble.com/smtpd-upstream-proxy-protocol-smtpd-tls-wrappermode-td79550.html
HAProxy is a layer 4 load-balancing protocol that can be configured
to load balance connections *before* SSL termination. This now
works in Postfix. The fix was to avoid reading too much of the
network payload when processing the HA proxy protocol, because that
might cause part of the SSL/TLS client HELLO to be processed too
early.
By reading the HA proxy traffic one byte at a time, Postfix now
avoids over-reading the HA proxy handshake, and the subsequent
SSL handshake just works the same was as always (SNI and all).
Something similar can probably be done in Exim.
--
Viktor.
