On Wed, May 20, 2015 at 10:10 AM, Amol <[email protected]> wrote: > here is the output from the commands you requested > > Built with OpenSSL version : OpenSSL 0.9.8k 25 Mar 2009 > Running on OpenSSL version : OpenSSL 0.9.8k 25 Mar 2009 > >
> :~$ openssl version > OpenSSL 0.9.8k 25 Mar 2009 > > > The openssl version is just too old to support TLS 1.2 as you can see in the supported cipher list below. Best bet would be to upgrade to a newer release of your OS. Another option would be to compile a newer version of openssl and compile your own haproxy and statically link against the newer openssl. -Bryan > :~$ openssl ciphers -v > DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 > EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 > DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 > DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 > DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 > DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 > RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 > RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 > RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 > EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 > EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 > DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 > DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 > EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 > export > EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 > export > EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 > export > EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 > export > EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 > export > EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 > export > EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 > export > :~$ > > > ------------------------------ > *From:* Bryan Talbot <[email protected]> > *To:* Amol <[email protected]>; HAproxy Mailing Lists < > [email protected]> > *Sent:* Wednesday, May 20, 2015 1:04 PM > > *Subject:* Re: SSL handshake failure when setting up no-tlsv10 > > On Wed, May 20, 2015 at 9:39 AM, Amol <[email protected]> wrote: > > Thanks you for responding and i wanted to share some more from my findings > > when i set > *ssl-default-bind-options no-sslv3 force-tlsv12* > > $ sudo vi /etc/haproxy/haproxy.cfg > :~$ sudo /etc/init.d/haproxy restart > * Restarting haproxy > haproxy > [ALERT] 139/122930 (8602) : parsing [/etc/haproxy/haproxy.cfg:22] : > 'ssl-default-bind-options' 'force-tlsv12': library does not support > protocol TLSv1.2 > [ALERT] 139/122930 (8602) : Error(s) found in configuration file : > /etc/haproxy/haproxy.cfg > [ALERT] 139/122930 (8602) : Fatal errors found in configuration. > > > > Yes, it sounds like your openssl lib must be pretty old or is oddly > configured. What does "haproxy -vv" and "openssl version" report? You can > see a list of supported ciphers and protocols using "openssl ciphers -v" as > well. > > > > -Bryan > > > >
