> PFS depends on using DH algorithm to exchange and create a secret for > the connection.
This is not entirely correct, *DHE* ciphers depend on it, but ECDHE ciphers don't. Since he disabled all DHE ciphers manually in the configuration, thats not it. > I didn't have DH parameters, added those, but it's still not working > yet. Is there any way to check with openssl why it isn't working? First of all, post the output of "haproxy -vv". Second of all, try a more simpler list of ciphers like 'HIGH:@STRENGTH'. If that works, try the Mozilla recommendation [1]. Regards, Lukas [1] https://wiki.mozilla.org/Security/Server_Side_TLS
