> On Tue, Feb 24, 2015 at 01:33:32PM -0700, NuSkooler wrote:
>> Thanks, this has all been very helpful.
>>
>> Unfortunately it seems that some of the pieces to create a debuggable
>> version of these old clients are currently missing here. If I can get
>> that together I'll debug and hopefully find something. Until then,
>> we'll be attempting to route their traffic around HAProxy leaving only
>> newer clients to get the benefit.
>>
>> If I come up with something that works or otherwise useful I'll post it here.
>
> I have not yet checked your traces, but since it was mentionned that
> application protocol "http" was present in the traces, maybe the client
> actually wants an explicit support for "http" advertised by the server.
> If this is the case, you may want to try to add "npn http alpn http" (or
> just one of them) on your bind line so that haproxy advertises them.
>From the traces it looks like the client support neither NPN, nor ALPN.
HAproxy linked against openssl 1.0.1 like in this case also only supports
NPN.
Another thing: don't trust Wireshark's decode of the "Application Data
Protocol" in a TLSv1 record, it appears completely buggy to me. I also
saw "spdy" on a HTTPS session to a server that doesn't support spdy.
Lukas
