Thanks, this has all been very helpful. Unfortunately it seems that some of the pieces to create a debuggable version of these old clients are currently missing here. If I can get that together I'll debug and hopefully find something. Until then, we'll be attempting to route their traffic around HAProxy leaving only newer clients to get the benefit.
If I come up with something that works or otherwise useful I'll post it here. Thanks again, Bryan On Tue, Feb 24, 2015 at 1:21 PM, Lukas Tribus <luky...@hotmail.com> wrote: >> >> In both &1 and &1, the handshake does end early. > > Well capture &2 is actually truncated, it doesn't really show the entire TCP > session, but I suspect the behavior is exactly the same as in capture &1. > > Looking at &1, even though the server requests a certificate from the client, > the client doesn't send it, but closes the connection right away. > > So its once again the client that decides not to talk to haproxy, not the > other way around. > > There is one last difference that may trigger the bug in the client: > The fact that your current server sends the Server Hello without any > additional messages, and waits for the client to (TCP) ACK it. Only > then it sends Certificate and Certificate Request TLS messages. > > HAproxy/OpenSSL doesn't do this, and I have not found a way to > replicate this. > > I don't see any options other than trying to debug on the client > application. > > > > Regards, > > Lukas > > >