> having two different versions, we cannot rule out a problem there. I did manage to do that. My captures (of my test requests) don't show an improvement in wireshark's ability to decrypt.
I suspect that the actual handshake problem with the customer is on their end. The certificate we were using in production was expired and had the wrong host name in the subject, so we got a new one with the correct name. They couldn't connect to that either. I now have placed that expired and incorrect cert in haproxy's configuration, and I bet they'll be able to connect to it now. I think their client is probably very stupid. Because they're in Japan, it takes pretty much a full day for every little tweak we make to get tested. I hope we can get a more interactive testing session going. Thanks, Shawn