Last modified: 2014-08-28 14:34:37 UTC
https://tools.wmflabs.org/ rejects connections where the client indicates an SNI of tools.wmflabs.org. This is apparently important for Java applications in particular (cf. http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7177232). To reproduce: | openssl s_client -connect tools.wmflabs.org:443 opens a connection just fine, while: | openssl s_client -servername tools.wmflabs.org -connect tools.wmflabs.org:443 | openssl s_client -servername tools-webproxy -connect tools.wmflabs.org:443 | openssl s_client -servername tools-webproxy.eqiad.wmflabs -connect tools.wmflabs.org:443 all fail. I'm unable to log into tools-webproxy, so I can't debug this further at the moment.
All four work for me. Perhaps this issue was only present during the transition to nginx? (There were proxies to proxies for roughly one month at that time).