Hi Heiko!
> Due to connection limit problems I´d like to remove stunnel from a
> configuration in front of haproxy.
>
> The original setup was:
> - stunnel was responsible for the SSL(https) connection
> - using localhost the web traffic was transferred to haproxy
> - haproxy divided traffic into web page requests and the Java software tunnel
> to an application server via websocket.
>
> I updated haproxy from version 1.4.2 to 1.5.5 on a Red Hat Enterprise Linux
> 6.5 host and the mentioned setup still worked fine. Using a test system I
> tried to add the SSL functionality directly to haproxy and removed stunnel
> from the setup.
>
> The web pages are still working with any crypto protocols and ciphers but the
> upgrade to websocket does not work anymore. I can see that the Java client
> sends initial packets to start the encryption but drops the connection with a
> FIN+ACK after haproxy sends a TLSv1.2 proposal. The haproxy log then tells:
> Connection closed during SSL handshake
>
> Additionally, I testet all the crypto protocol options in the Java control
> panel from SSLv3 up to TLSv1.2 — all with the same result. There is no
> additional crypto library implemented in the client software, so it depends
> completely on the Java settings. I used a very recent version of Java 7 for
> my tests.
>
> Does somebody have further ideas what I might have overseen?
Gonna need to see your configuration to be able to help you, especially ssl
and http related parts.
Out of the back of my mind I recall Java has problems with DHE cihpers
when the dh size is more than 1024 bits. Could that be your case?
Can you share a tcpdump capture of the failed handshake (don't forget -s0
otherwise packets will be truncated).
Regards,
Lukas
