Thank you so much for your hint! I've dumped the start of HAProxy and
imported the result in wireshark and a fatal error showed up. It said
"Unknown CA" when the handshake failed. It turns out my coworker did not
add a full trust chain into the ca-file when he changed the cert to a
new one.
On 2015-04-24 09:30, Evgeniy Sudyr wrote:
Check handshake with tcpdump / wireshark to see what's happening.
On Friday, April 24, 2015, <[email protected]> wrote:
On 2015-04-23 17:11, Baptiste wrote:
On Thu, Apr 23, 2015 at 4:18 PM, <[email protected]>
wrote:
SSLv3 is not allowed anywhere in our infrastructure, it is disabled
already.
You did not catch the point.
HAProxy may use SSLv3 to get connected to the server.
so disable sslv3 on the server side on haproxy just to ensure this
is
not the root of the problem.
Then we could investigate further.
Baptiste
I've limited the options on the backend to only allow
ECDHE-RSA-AES256-GCM-SHA384 and TLS1.2 and verified that this works
with s_client:
s_client output:
[..]
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
[..]
Protocol : TLSv1.2
And set the following options in the HAProxy configuration:
ssl-default-server-ciphers
ECDHE-RSA-AES128-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
ssl-default-server-options no-sslv3
the backend servers now additionally have the the following options
set:
server apache_rem_1 1.2.3.4:12345 [1] check maxconn 1000
maxqueue 5000 check-ssl ssl verify required force-tlsv12 ca-file
/etc/ssl/web.pem
So as far as I understand, HAProxy as well as the backend should both
be forced to use ECDHE-RSA-AES256-GCM-SHA384/TLS1.2 but I still get
the same error(>>Layer6 invalid response, info: "SSL handshake
failure"<<).
Anything I missed?
--
--
With regards,
Eugene Sudyr
Links:
------
[1] http://1.2.3.4:12345
