Hello Janek,
Am 19.06.2017 um 14:13 schrieb Teichmann, Janek: > Hi, > > I have a problem with HAProxy 1.5.18 on a Centos 7.2.1511. I installed the > HAProxy from the epel repository. So just the normal packages. > The problem is a rarely appearing ssl handshake error. HAProxy is terminating > ssl with the config below. You can see that we are load balancing exchange. > On the syslog server I can see from about 43k request 152 handshake failures. > I captured one good handshake with wireshark and one bad. The problem is they > look the same. The error is a TLS error: Bad Record MAC (20) If you are sure that this is not a client problem, then its likely a openssl bug. See: http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004385.html https://lists.freebsd.org/pipermail/freebsd-security/2014-April/007539.html https://trac.nginx.org/nginx/ticket/215 The fix is in OpenSSL 1.0.1h: https://github.com/openssl/openssl/commit/725c5f1ad393a7bc344348d0ec7c268aaf2700a7 I'm not sure if this was backported in RedHat/CentOS. Is the package uptodate (should be openssl-1.0.1e-60.el7.x86_64 afaik)? There is not much to do on the haproxy front; you can try with a upstream and recent openssl version, and if it works fine, file a report. Regards, Lukas
