Hi Merton!
> We are seeing a fair amount of 'SSL handshake failure' errors in our > log, and we are running HAProxy 1.5-dev18. I suggest to update to dev19. There are a lot of bug fixes, including a security fix since dev18, which you want to have if this is a production box. It will not make those warnings disappear however. > Any idea what causes these 'SSL handshake failure' errors? SSL/TLS clients not completing the SSL handshake due to: - not being at least TLSv1.0 compatible (you disabled SSLv3) - not matching your ciphers (you have a pretty specific configuration) - a user hit STOP in the browser - a transient network problem - a bug somewhere > SSL handshake failure Don't look at this from a server perspective. Look at every single client with problems and troubleshoot it from there. > Given our whole site uses SSL, this is impacting usability for users. Do you have actual user reports of failing SSL handshakes or is this a conclusion you based on the log? If the former, then collect all the informations you can get from those users, like OS, SSL stack, browser version, tcpdumps of the failed handshake, etc. If the latter is the case, then don't panic - this is normal if you have a internet facing server. Check "option dontlognull" if you want to mute those warnings. Cheers, Lukas
