https://tools.wmflabs.org/ rejects connections where the client indicates an SNI of tools.wmflabs.org. This is apparently important for Java applications in particular (cf. http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7177232).
To reproduce:
openssl s_client -connect tools.wmflabs.org:443 |
opens a connection just fine, while:
openssl s_client -servername tools.wmflabs.org -connect tools.wmflabs.org:443 |
openssl s_client -servername tools-webproxy -connect tools.wmflabs.org:443 |
openssl s_client -servername tools-webproxy.eqiad.wmflabs -connect tools.wmflabs.org:443 |
all fail. I'm unable to log into tools-webproxy, so I can't debug this further at the moment.
Version: unspecified
Severity: major