>> my problem is, that i sometimes see an error message in my browser. i >> also got one response from a user saying that he can't access our >> ssl-pages and gets an error. > > There are 2 issues here: > - the fact that you sometimes (?) see this error in the browser > - the fact that one user can't open the ssl-page at all (likely he has > a browser or SSL middlebox incompatible with your SSL settings) > i try to confirm this (as it happens randomly its not that easy).
> > Markus, please follow Willy's advise and remove all force-* configurations > from your bind line, you should use no-sslv3/no-tlsv1[0-2] keywords to > configure specific TLS version, but in this case, as long as you > troubleshooting this, I strongly suggest to not configure any specific TLS > settings. i have now removed them. my thought was to prevent use of "weaker" ssl-versions (like sslv2), but i found in the docs that this is deactivated per default. so no real need to force "newer", as sslv3 and tlsv1x are used per default. > > Also, we need the haproxy -vv output. You said you started running SSL > on haproxy April, 8 th, but dev23 was only released these days. So what > release did you run previsouly, and did you have the same problems (in > the browsers, not the log)? > i have activated ssl loadbalancing on 8th of april (not because of heartbleed). so i have only numbers starting at 8th of april. while testing i used ssl loadbalancing before and saw a few errors, that stopped me from activating ssl load balancing in haproxy in the first run. i have used all versions starting from 1.5 dev19 to now dev23. ./haproxy -vv HA-Proxy version 1.5-dev23-8317b28 2014/04/23 Copyright 2000-2014 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing OPTIONS = USE_OPENSSL=yes Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 Running on OpenSSL version : OpenSSL 1.0.1 14 Mar 2012 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built without PCRE support (using libc's regex instead) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. > > [1] https://www.ssllabs.com/ssltest/ > everything is OK, i see sslv2 is disabled ;-) just what i wanted when first using force-xxxx
