RE: Switching Java client to Websocket with SSL // Connection closed during SSL handshake

Fri, 17 Oct 2014 05:45:07 -0700 

Hi Heiko,


> #---------------------------------------------------------------------
> # test configuration
> #---------------------------------------------------------------------
>
> frontend test1
> bind *:443 ssl crt /etc/pki/tls/certs/domain.com-haproxy.pem
> #ciphers HIGH:RC4-SHA:!ADH
> #ciphers AES:RC4:ALL:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!ECDH
> reqadd X-Forwarded-Proto:\ https
>
> acl nourl url /
> acl baseurl url /java-app
> acl is_websocket hdr(Upgrade) -i WebSocket
> acl is_websocket path_beg /java-app/r3
> acl is_download path_beg /java-app/
> acl admin_url path_beg /admin
> acl is_admin src 192.168.1.0/24
>
> redirect location http://www.domain.com/ if nourl
> redirect location https://test.domain.com/java-app/ if baseurl
>
> use_backend test1_socket_backend if is_websocket
> use_backend test1_website_backend if is_download ! is_websocket
> use_backend private_monitoring if is_admin admin_url
>
>
> #-Backends------------------------------------------------------------
>
> backend deny_backend
> option httpclose
> reqideny .*
>
> backend private_monitoring
> stats enable
> stats uri /admin?stats
> stats refresh 10s
>
> # Test1
> backend test1_website_backend
> option httpclose
> server test1 <internal hostname>:8080
>
> backend test1_socket_backend
> no option httpclose

Better switch to "option http-tunnel" here.



>> Out of the back of my mind I recall Java has problems with DHE cihpers
>> when the dh size is more than 1024 bits. Could that be your case?
>
> I read about it anywhere and was aware of it (a known problem with Java 7). I
> tested with the default of 1024 bit but also tried with other values. There 
> was
> no change in behavior.

How exactly did you modify this value? Do you have those dh-params in your
pem file?




> 46 29.435106 <CLIENT> <HAPROXY> SSLv2 213 Client Hello
> 47 29.440451 <HAPROXY> <CLIENT> TLSv1.2 1508 Server Hello
> 48 29.440473 <HAPROXY> <CLIENT> TLSv1.2 1134 Certificate


Can you try "force-tlsv10" on the bind line, to see if that
changes anything? If that doesn't help, can you send
me the full tcpdump capture file offlist ("tcpdump -ns0
-w capture.cap tcp port 443" or something like that)?


Do you have any way to enable the java debug console
and see what it says?



Regards,

Lukas

Reply via email to