On 11/05/2015 10:46 μμ, Amol wrote: > Hi > I am using Haproxy (1.5.9) and trying to resolve a PCI compliance issue > with TLS v1.0, but when i set the following options in global section of > the haproxy.cfg i am getting an error in my haproxy.log and the webpage > does not showup. > > ssl-default-bind-options no-sslv3 *no-tlsv10* > > *error in haproxy.log* > > May 11 16:37:39 load-lb haproxy[2680]: xx.xx.xx.xx:56787 > [11/May/2015:16:37:39.626] www-https/1: SSL handshake failure > >
I guess your client tried to use TLS1.0 which is disabled. > here is the snippet of the actual SSL settings > > ssl-default-bind-ciphers > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4: > EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 > ssl-default-bind-options no-sslv3 *no-tlsv10* > tune.ssl.default-dh-param 4096 > > > Please let me know if i am missing anything? > > > Try openssl s_client -connect site:443 -tls1_1 and should work and openssl s_client -connect site:443 -tls1 it shouldn't work as you disabled that version. Cheers, Pavlos
signature.asc
Description: OpenPGP digital signature
