Add TLS troubleshooting

Author: lcrilly

README.md

@@ -161,6 +161,16 @@ Any errors generated by the OpenID Connect flow are logged in a separate file, `
     * This is typically caused by the IdP issuing its own session cookie(s) to the client. NGINX Plus sends the request to the IdP for authentication and the IdP immediately sends back a new authorization code because the session is still valid.
     * Check your IdP configuration if this behavior is not desired.
 
+  * **Failed SSL/TLS handshake to IdP**
+    * Indicated by error log messages including `peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream`.
+    * This can occur when the IdP requires Server Name Indication (SNI) information as part of the TLS handshake. Additional configuration is required to satisfy this requirement.
+    * Edit **openid_connect.server_conf** and for each of the `/_jwks_uri`, `/_token`, and `/_refresh` locations, add the following configuration snippet:
+```nginx
+proxy_set_header Host <IdP hostname>;
+proxy_ssl_name        <IdP hostname>;
+proxy_ssl_server_name on;
+```
+
 ## Support
 
 This reference implementation for OpenID Connect is supported for NGINX Plus subscribers.