OK, it's a little embarrassing I didn't notice this before, but running haproxy -vv pointed me in the right direction :). There was a devel build still installed on this server, and that has precedence in the PATH. Removed that, and now it works as expected.
Regards, Sander On Tue, Dec 9, 2014 at 1:38 AM, Lukas Tribus <[email protected]> wrote: > > PFS depends on using DH algorithm to exchange and create a secret for > > the connection. > > This is not entirely correct, *DHE* ciphers depend on it, but ECDHE ciphers > don't. Since he disabled all DHE ciphers manually in the configuration, > thats not it. > > > > > I didn't have DH parameters, added those, but it's still not working > > yet. Is there any way to check with openssl why it isn't working? > > First of all, post the output of "haproxy -vv". Second of all, try a more > simpler list of ciphers like 'HIGH:@STRENGTH'. If that works, try the > Mozilla recommendation [1]. > > > > Regards, > > Lukas > > > > > [1] https://wiki.mozilla.org/Security/Server_Side_TLS > > >
