Hi Markus, On Wed, Apr 23, 2014 at 08:00:21PM +0200, Markus Rietzler wrote: > today i have switch to dev23. everything is working very well in our > environment. haproxy works perfect in http mode. > load balancing our two backend servers with master/slave and backup setup. > > i also use haproxy for ssl terminiation. exakt: haproxy takes ssl requests to > our shop and then do ssl to the backend > servers with backup setup. > > so far everything works very good. > > only problem is that i see > > xx.xx.xx.xx:50281 [23/Apr/2014:19:49:03.771] https/1: SSL handshake failure > > those error messages in the log file. what happens here? sometimes i get an > error message in the browser, firefox gives > the error message: ssl_error_illegal_parameter_alert. but not always. > > this is the ssl config for haproxy
What version were you running previously ? Could you please check with haproxy -vv ? This will also give us the exact openssl version in use. I'm seeing something strange in your config with "force-sslv3 force-tlsv10", because each "force" parameter should be unique, so in practice I think you're forcing TLSv1.0. Could you please try to remove these two statements to see if that fixes anything ? I'm leaving your config below for reference in case someone else has any idea. Willy > global > daemon > maxconn 2000 > stats socket /opt/haproxy/var/socket mode 0600 level admin > user www > group www > pidfile /opt/haproxy/var/pid > > defaults > mode http > log global > balance roundrobin > option httplog > option dontlognull > > retries 3 > option redispatch > option http-server-close > # option http-keep-alive > option forwardfor > > timeout connect 5000ms > timeout client 50000ms > timeout server 50000ms > > log 127.0.0.1 local0 > > frontend https > bind xx.xx.xx.xx:443 ssl crt /opt/haproxy/haproxy.ssl.crt force-sslv3 > force-tlsv10 ciphers > ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM > capture request header Host len 32 > default_backend lbhttps > monitor-uri /ok > reqadd X-Forwarded-Proto:\ https > > > backend lbhttps > server master yy.yy.yy.yy:443 ssl maxconn 50 check weight 1 inter 5s > rise 3 fall 2 verify none > server slave zz.zz.zz.zz:443 ssl maxconn 50 check backup weight 1 inter > 5s rise 3 fall 2 verify none >
