Looks like disabling 'option ssl-hello-chk' worked in this case. I'll also see if we can't get our other side to turn on sslv3... however that may not be an option.
Without 'ssl-hello-chk': $ curl --ciphers ALL -v https://216.121.28.78:443/ * Hostname was NOT found in DNS cache * Trying 216.121.28.78... * Connected to 216.121.28.78 (216.121.28.78) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA384 * Server certificate: * subject: C=US; ST=Texas; L=Dallas; O=ARTIZONE INC.; CN=*.artizone.com * start date: 2013-11-26 20:13:29 GMT * expire date: 2014-12-11 18:39:42 GMT * SSL: certificate subject name '*.artizone.com' does not match target host name '216.121.28.78' * Closing connection 0 * SSLv3, TLS alert, Client hello (1): curl: (51) SSL: certificate subject name '*.artizone.com' does not match target host name '216.121.28.78' - Brian Menges -----Original Message----- From: Lukas Tribus [mailto:[email protected]] Sent: Tuesday, November 18, 2014 3:16 PM To: Cyril Bonté; Brian Menges; [email protected] Subject: RE: debugging ssl passthrough+haproxy > Hi Brian, > > Le 18/11/2014 20:12, Brian Menges a écrit : >> $ curl --ssl --ciphers ALL -v 216.121.28.78:443 > > First issue here, please prefix your URL with https:// Otherwise curl > will try to send plain HTTP on port 443. The --ssl parameter makes sure here that curl indeed uses SSL. A https:// prefix is would be more "curl-like" though. I think I see what's going on: The "ssl-hello-chk" option really only sends a SSLv3 client hello and your origin server seems to have SSLv3 disabled, as: openssl s_client -ssl3 -connect 216.121.17.252:443 fails (at least from my box here). Because health checks are failing, all your servers are probably marked down, and nothing works. We need to check how haproxy 1.5 ssl-hello-chk behaves, if it's still SSLv3 only, it would probably be a good time to upgrade this to TLS (at least v1.0). Enable SSLv3 on your server or disabled ssl-hello-chk to workaround the issue. Regards, Lukas ________________________________ The information contained in this message, and any attachments, may contain confidential and legally privileged material. It is solely for the use of the person or entity to which it is addressed. Any review, retransmission, dissemination, or action taken in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer.
