Hi,
> I'm not currently sure on the JRE version. These are Android clients > written with a old Android SDK. All new clients are C++ / OpenSSL > based. > > I have set the DH param size to 1024 with the same results. > Additionally, I set up a bind statement that reflects that of the > backward compatibility link you provided from Mozilla. Again, with no > luck. > > Attached two pcap files: > haproxy_1.pcap: Capture of client against HAProxy with the target > configuration I started with + 1024 DH param. HAProxy is @ 10.3.2.74 > here > haproxy_2.pcap: Capture of the client against OpenSSL s_server run as such: > openssl s_server -accept 443 -cert > ~/Downloads/json_rpc_server_cert_and_key.pem -msg -debug -state. > s_client is @ 10.3.2.118 here There's some confusion here. For the sake of clarity, please, for the time being, use the Mozilla cipher recommendations, and configure your bind line *exactly* like this (don't specify the named curves, just configure the ciphers without any additional configuration): http://pastebin.com/raw.php?i=XswSbviN and provide the pcap file of the failed handshake of *that* specific configuration, not your original configuration. "verify optional" on the bind line will certainly upset buggy clients, because the server will ask the client to provide a certificate, don't use it when troubleshooting SSL problems that are unrelated to client cert auth. I don't see any SPDY traffic in the traces either ... Regards, Lukas
