On Fri, Nov 21, 2014 at 09:52:21AM +0100, Lukas Tribus wrote: > >>> We need to check how haproxy 1.5 ssl-hello-chk behaves, if it's > >>> still SSLv3 only, it would probably be a good time to upgrade this > >>> to TLS (at least v1.0). > >>> > >>> Enable SSLv3 on your server or disabled ssl-hello-chk to workaround > >>> the issue. > >>> > >> > >> It is, though I would rather add an additional keyword, so like > >> 'ssl-hello-chk tls' would activate TLS1.0 > > > > Agreed, that way we can backport it to v1.5. > > I was thinking, do we really need this? If one builds 1.5 with openssl, we > can use a real TLS transport layer, by specifying check-ssl on the server > line (not check ssl) and that should fix the problem already? > > TCP forwarding should still be possible even with check-ssl.
Indeed, I'd prefer not to add more confusion about the use of ssl-hello-check whose purpose is very limited, especially when native SSL support is available. Best regards, Willy
