Do you use any reqrep/resprep rules? I'm asking because I had the same kind of problem, also with java apps.
First I changed the global section to: tune.ssl.default-dh-param 1024 ssl-default-bind-ciphers EECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 Also modified a few reqrep/respreq, few rules only accepted HTTP/1.1, but the clients made the requests using HTTP/1.0. That was the reason I was getting the 400 error Hope it helps. Regards. On Mon, Feb 23, 2015 at 3:36 PM, Lukas Tribus <luky...@hotmail.com> wrote: > Hi, > > > > I'm not currently sure on the JRE version. These are Android clients > > written with a old Android SDK. All new clients are C++ / OpenSSL > > based. > > > > I have set the DH param size to 1024 with the same results. > > Additionally, I set up a bind statement that reflects that of the > > backward compatibility link you provided from Mozilla. Again, with no > > luck. > > > > Attached two pcap files: > > haproxy_1.pcap: Capture of client against HAProxy with the target > > configuration I started with + 1024 DH param. HAProxy is @ 10.3.2.74 > > here > > haproxy_2.pcap: Capture of the client against OpenSSL s_server run as > such: > > openssl s_server -accept 443 -cert > > ~/Downloads/json_rpc_server_cert_and_key.pem -msg -debug -state. > > s_client is @ 10.3.2.118 here > > There's some confusion here. > > For the sake of clarity, please, for the time being, use the Mozilla cipher > recommendations, and configure your bind line *exactly* like this (don't > specify the named curves, just configure the ciphers without any additional > configuration): > > http://pastebin.com/raw.php?i=XswSbviN > > > and provide the pcap file of the failed handshake of *that* specific > configuration, not your original configuration. > > > "verify optional" on the bind line will certainly upset buggy clients, > because > the server will ask the client to provide a certificate, don't use it when > troubleshooting SSL problems that are unrelated to client cert auth. > > > > I don't see any SPDY traffic in the traces either ... > > > Regards, > > Lukas > > >
