Hi,
If it can help, I've been in touch with Emeric about SSL handshake
failure since
some times now but it's maybe preferable to use the ML to share
experience.
I'm using the following cipher filter list :
'ALL:!SSLv2:!eNULL:!aNULL:!LOW:!EXPORT:!kECDH:!MD5:@STRENGTH'
The PEM file I used is composed by the following :
-----BEGIN CERTIFICATE----- <= Leaf cert
-----BEGIN CERTIFICATE----- <= Intermediate cert
-----BEGIN CERTIFICATE----- <= Root cert
-----BEGIN DH PARAMETERS----- <= "openssl dhparam 4096" result
-----BEGIN DSA PARAMETERS----- <= "openssl dsaparam 4096" result
-----BEGIN EC PARAMETERS----- <= "openssl ecparam -name prime256v1"
result
-----BEGIN RSA PRIVATE KEY----- <= Dumbo jacket
Here is the result on trying to use each cipher on the list :
$ openssl ciphers -v
'ALL:!SSLv2:!eNULL:!aNULL:!LOW:!EXPORT:!kECDH:!MD5:@STRENGTH' \
| while read C dumb; do
echo -n "# $C "
openssl s_client -connect 176.31.104.63:443 -cipher $C <
/dev/null > /dev/null 2>&1 \
&& echo OK \
|| echo FAIL \
done \
| sort -k 3 \
| column -t
# DHE-DSS-AES128-GCM-SHA256 FAIL
# DHE-DSS-AES128-SHA256 FAIL
# DHE-DSS-AES128-SHA FAIL
# DHE-DSS-AES256-GCM-SHA384 FAIL
# DHE-DSS-AES256-SHA256 FAIL
# DHE-DSS-AES256-SHA FAIL
# DHE-DSS-CAMELLIA128-SHA FAIL
# DHE-DSS-CAMELLIA256-SHA FAIL
# DHE-DSS-SEED-SHA FAIL
# ECDHE-ECDSA-AES128-GCM-SHA256 FAIL
# ECDHE-ECDSA-AES128-SHA256 FAIL
# ECDHE-ECDSA-AES128-SHA FAIL
# ECDHE-ECDSA-AES256-GCM-SHA384 FAIL
# ECDHE-ECDSA-AES256-SHA384 FAIL
# ECDHE-ECDSA-AES256-SHA FAIL
# ECDHE-ECDSA-DES-CBC3-SHA FAIL
# ECDHE-ECDSA-RC4-SHA FAIL
# EDH-DSS-DES-CBC3-SHA FAIL
# PSK-3DES-EDE-CBC-SHA FAIL
# PSK-AES128-CBC-SHA FAIL
# PSK-AES256-CBC-SHA FAIL
# PSK-RC4-SHA FAIL
# SRP-DSS-3DES-EDE-CBC-SHA FAIL
# SRP-DSS-AES-128-CBC-SHA FAIL
# SRP-DSS-AES-256-CBC-SHA FAIL
# SRP-RSA-3DES-EDE-CBC-SHA FAIL
# SRP-RSA-AES-128-CBC-SHA FAIL
# SRP-RSA-AES-256-CBC-SHA FAIL
# AES128-GCM-SHA256 OK
# AES128-SHA256 OK
# AES128-SHA OK
# AES256-GCM-SHA384 OK
# AES256-SHA256 OK
# AES256-SHA OK
# CAMELLIA128-SHA OK
# CAMELLIA256-SHA OK
# DES-CBC3-SHA OK
# DHE-RSA-AES128-GCM-SHA256 OK
# DHE-RSA-AES128-SHA256 OK
# DHE-RSA-AES128-SHA OK
# DHE-RSA-AES256-GCM-SHA384 OK
# DHE-RSA-AES256-SHA256 OK
# DHE-RSA-AES256-SHA OK
# DHE-RSA-CAMELLIA128-SHA OK
# DHE-RSA-CAMELLIA256-SHA OK
# DHE-RSA-SEED-SHA OK
# ECDHE-RSA-AES128-GCM-SHA256 OK
# ECDHE-RSA-AES128-SHA256 OK
# ECDHE-RSA-AES128-SHA OK
# ECDHE-RSA-AES256-GCM-SHA384 OK
# ECDHE-RSA-AES256-SHA384 OK
# ECDHE-RSA-AES256-SHA OK
# ECDHE-RSA-DES-CBC3-SHA OK
# ECDHE-RSA-RC4-SHA OK
# EDH-RSA-DES-CBC3-SHA OK
# IDEA-CBC-SHA OK
# RC4-SHA OK
# SEED-SHA OK
On the client (openssl s_client) it give :
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:741:
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
On the server :
SSL handshake failure
Also, while debugging haproxy v1.5-dev18-34-gf27af0d I can see that
PEM_read_bio_DHparams()
called in ssl_sock_load_dh_params() return the origin (in PEM file) DH
parameter and that
ssl_sock_load_dh_params() return 1.
beber
On 2013-04-19 20:53, Connelly, Zachary (CGI Federal) wrote:
HAProxy list,
I am currently working to implement SSL within HAProxy using the
1.5-dev18 version. Much like the thread started by Samat Galimov [1]
on 2/5/2013, I am seeing the same behavior where the first time I send
a request via SSL the request is serviced and everything is fine; the
next time the same request is attempted I receive 'ERROR:Exception in
request: javax.net.ssl.SSLHandshakeException: Remote host closed
connection during handshake.' I noticed the attached code in the
thread was not put into the dev18 version (I believe). Did that code
end up resolving the issue or is the issue still being reviewed? I can
supply my config file if that would help. Is there any way to get more
info out of HAProxy to see what it is doing while it handles the SSL
Handshake (the log does not seem to write anything when the request
fails)?
Any assistance would be appreciated. Thanks,
Zack Connelly
Links:
------
[1] http://search.gmane.org/?author=Samat+Galimov&sort=date
