On 23/04/2015 6:01 PM, <i...@linux-web-development.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi!
>
> I'm having trouble with one of our HAProxy-Servers that uses a backend
with TLS. When starting HAProxy the backend will report all servers as down:
>
>> Server web_remote/apache_rem_1 is DOWN, reason: Layer6 invalid response,
info: "SSL handshake failure",

When i see this it is usually issue with the ciphers. Can you try setting
specific cipher in the ssl backend that you know is supported by the
backend servers?

check duration: 41ms. 1 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
>
>
>
> My backend configuration is as follows:
>
> backend web_remote
>     balance         leastconn
>     option          httpchk         HEAD /
>     option          redispatch
>     retries         3
>
>     default-server  inter 5000 rise 2 fall 5 maxconn 10000 maxqueue 50000
>
>     server apache_rem_1  1.2.3.4:12345             check maxconn 1000
maxqueue 5000 ssl ca-file /etc/ssl/web.pem
>     server apache_rem_2  2001:1:2:3:4:5:6:8:12345  check maxconn 1000
maxqueue 5000 ssl ca-file /etc/ssl/web.pem
>
>
> This backend worked just fine until now, a quick wget on the server also
worked and openssl s_client reports the certificate of the backend to be
valid.
>
> I couldn't find anything on the list except that the error would be due
to SSL_ABORT, but I'm not sure what this is supposed to tell me...
>
> Is there anything else for HAProxy/TLS that could be configured wrong?
How could I debug this issue when everything else reports the handshake was
successful?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVOKYDAAoJEJGDW18KFrBD7p4P/05tlwkxRUJwVoI3Tl1Q3+xI
> upIcN9MfTHPpA6ilVkT2S43HxyZ7RYgYGRs6LEcipLJOhGSxIHcPgGZKwsMJK8NO
> cldP20A0SoRvkUsro1UWOj/iqAsxg+j6IYNxuBJUb5i2yG6KFlp/PupJJI1QDUov
> NzyfjqIh9iSgRA6j3jJSYUDLg5KM3Frl8O0GQysztxF8fihambx8vYjlEkIyrrtc
> obmRN3hyIHnJC3oTfhEtpyg8ihV8B6XCNCEHXLonEa8QQ4lIluKhDmh+LsydZ/og
> oEFQeBNp8VfRVIx8iT1ixNFAtw85ZcB0X5GpUMxHZ5l4IscD2THCfqge+nbOIoCw
> 9gHitbrKEe323DXIAiv/xWiJZNw3DwDyPDIXFLypBH2F6ZRSosBMyFwkj5omj3ey
> FKAL6DLXDylMgbrihSKA381GktPa5Vr/QmlMjr924VVDbQBmgFBiF7MKeSFHoAjT
> AJvWXplp8jIb7c1wo5vOVEa3MqLEW6Me+r2RvbAiDbQbXmVbRGmVgXo0WeZ2xgMq
> yhFAoW4JvgrrAqNdocXxc2DoP7BU51zu4b9qq4aPECUzyODpLYtU/PCDNBuvBcWI
> erGvwQt6iJP5C8NDHz/Q2mEdBgAq5K+qoSDn5CK+pmWDdR26AVRU8bH8Np4JP2ec
> c+qlPjicDRLalAn3jmQa
> =9FK7
> -----END PGP SIGNATURE-----
>
>

Reply via email to