Am 24.04.14 03:19, schrieb Stefan: > We also have a lot of "SSL handshake failure" records in log file > > Here some details on configs: > > - haproxy -vv: > HA-Proxy version 1.5-dev23-8317b28 2014/04/23 > Copyright 2000-2014 Willy Tarreau <[email protected]> > > Build options : > TARGET = linux2628 > CPU = native > CC = gcc > CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing > OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_ZLIB=1 > USE_OPENSSL=1 USE_STATIC_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.8 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.33 2013-05-28 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: > IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > > could you send our ssl config in haproxy? did you see those errors after 8th of april like willy and me (i have activated ssl loadbalancing on 8th of april, so i can't compare before heartbleed)
markus
