Re: SSL handshake failure when setting up no-tlsv10

Mon, 11 May 2015 14:30:24 -0700 

On Mon, May 11, 2015 at 1:46 PM, Amol <[email protected]> wrote:

> Hi
> I am using Haproxy (1.5.9) and trying to resolve a PCI compliance issue
> with TLS v1.0, but when i set the following options in global section of
> the haproxy.cfg i am getting an error in my haproxy.log and the webpage
> does not showup.
>
> ssl-default-bind-options no-sslv3 *no-tlsv10*
>
> *error in haproxy.log*
>
> May 11 16:37:39 load-lb haproxy[2680]: xx.xx.xx.xx:56787
> [11/May/2015:16:37:39.626] www-https/1: SSL handshake failure
>
>
> here is the snippet of the actual SSL settings
>
>         ssl-default-bind-ciphers
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:
> EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
>         ssl-default-bind-options no-sslv3 *no-tlsv10*
>         tune.ssl.default-dh-param 4096
>
>
> Please let me know if i am missing anything?
>
>
>

Works for me.

$ ./haproxy -vv
HA-Proxy version 1.5.12-2 2015/05/11
Copyright 2000-2015 Willy Tarreau <[email protected]>

Build options :
  TARGET  = generic
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=0

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): no
Built with zlib version : 1.2.5
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015
Running on OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)

Available polling systems :
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 2 (2 usable), will use poll.


$ cat haproxy.cfg
global
  tune.ssl.default-dh-param 4096
  ssl-default-bind-options no-sslv3 no-tlsv10
  ssl-default-bind-ciphers
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

defaults
  timeout client 5s
  timeout server 5s
  mode http

listen foo
  bind :4433 ssl crt ./test.pem


$ ./haproxy -f ./haproxy.cfg -c
Configuration file is valid


$ openssl version
OpenSSL 1.0.2a 19 Mar 2015


$ echo | openssl s_client -connect 127.0.0.1:4433
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
...


Maybe it's an issue with your client?

-Bryan

Reply via email to