Hi Heiko,
> I did a couple of new tests. But as my self-compiled version 1.5.5 did > behave weird sometimes I decided to have a try with the 1.5.2 from Red > Hat which was packaged with RHEL 6.6. I will do a re-test tomorrow but: > - the self-compiled version tried to use TLS 1.2 a couple of times > although the ‘no-tlsv12’ option was set. When you are compiling, are you *always" running "make clean" before the actual build? Could it be that you forgot it for your 1.5.5 build? > While testing I got another idea we had trouble with some time ago. > The certificate we use is a wildcard cert by DigiCert. I replaced it > with a self-signed web certificate but it did not change anything. > The results are identical. > > Do you have any further idea what might cause the problem? You have to use a haproxy binary that you can trust and the all the previous tests you have done with binary that ignores force-tlsv10 must be disregarded. So, if the reason of this was a missing "make clean" (that is just a wild, but valid guess), then please recompile latest v.1.5.6 cleanly and retry with dh-params set to 1024bit. On other thing that cames to my mind is intermediate certificates. Are intermediate certificates correctly installed on haproxy? Currently, riege.com correctly delivers [1] the intermediate certificate "DigiCert High Assurance CA-3", but I guess thats still a stunnel setup? Please double check with haproxy and the openssl s_client command [2]. Regards, Lukas [1] https://www.ssllabs.com/ssltest/analyze.html?d=riege.com [2] http://blog.yimingliu.com/2008/02/04/testing-https-with-openssl/
