Hi Lukas,

Lukas Tribus wrote:
sounds like a tricky issue ...

indeed :)

- has the Windows 7 box all the latest patches from MS?

Yes.

- any reason not to use openssl1.0.1e?

I couldn't get it to compile, or in fact, I could compile it, but it would break at the `make test` step and I hadn't yet found time to get to the bottom of this.

- any "security" software ("suites", software firewalls, anti-virus)
   which may intercept the SSL/TLS session (basically: do you see your
   real certificate in the browser or do you see a certificate of a
   "security product")?

There is a simple iptables on the box. By policy, we don't deploy any magic security snake oil, so no, nothing of that kind between the client and HAProxy. The browser is talking directly to HAProxy.

- could you reproduce this with a self-signed certificate you *don't* use
   in production (so that the private key can be disclosed for
   troubleshooting), tcpdump the ssl session and provide the capture,
   including the private server certificate?

I'll have to reconstruct this on a local VM to anonymize the data a bit. I'll get back to you as soon as possible.

Thanks for your support.

--Holger

Reply via email to