I didn't have DH parameters, added those, but it's still not working yet. Is there any way to check with openssl why it isn't working?
On Tue, Dec 9, 2014 at 12:11 AM, Vivek Malik <[email protected]> wrote: > Are you putting in DH parameters in mycert.pem? > > PFS depends on using DH algorithm to exchange and create a secret for > the connection. > > openssl dhparam 2048 >> mycert.pem should add the DH parameters to the > cert file. > > Regards, > Vivek > > On Mon, Dec 8, 2014 at 4:44 PM, Sander Rijken <[email protected]> > wrote: > > System is Ubuntu 12.04 LTS server, with openssl 1.0.1 and haproxy 1.5.9 > > > > OpenSSL> version > > OpenSSL 1.0.1 14 Mar 2012 > > > > > > I'm currently using the following, started with the suggested > [stanzas][1] > > (formatted for readability, it is one long line in my config): > > > > bind 0.0.0.0:443 ssl crt mycert.pem no-tls-tickets ciphers \ > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: \ > > > > ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384: \ > > > > ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256: \ > > AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3 > > > > [1]: https://gist.github.com/rnewson/8384304 > > > > ssllabs.com indicates FS is not used. When I disable all algorithms > except > > the ECDHE ones, I get SSL connection error (ERR_SSL_PROTOCOL_ERROR), so > > something on the system doesn't support FS. > > > > Any ideas? > > > > > > -- > > Sander Rijken > > >
