Hi, it jus added "kEECDH+aECDSA+AES" in front on my cipher list and it works fine !
tx Regards, On Wed, 12 Aug 2015 11:33:15 +0200, Robin Geuze <[email protected]> wrote : > ECC certs don't work with your keychain since it only contains RSA based > ciphers and not ecdsa based ones. > > Baptiste wrote on 8/12/2015 11:29: > > On Wed, Aug 12, 2015 at 11:22 AM, Marc-Antoine > > <[email protected]> wrote: > >> Hi all, > >> > >> i'm trying to use an ECC certificate under haproxy without success : > >> > >> * haproxy -vv > >> HA-Proxy version 1.5.8 2014/10/31 > >> Copyright 2000-2014 Willy Tarreau <[email protected]> > >> > >> Build options : > >> TARGET = linux2628 > >> CPU = generic > >> CC = gcc > >> CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat > >> -Werror=format-security -D_FORTIFY_SOURCE=2 > >> OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 > >> > >> Default settings : > >> maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > >> > >> Encrypted password support via crypt(3): yes > >> Built with zlib version : 1.2.7 > >> Compression algorithms supported : identity, deflate, gzip > >> Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > >> Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > >> OpenSSL library supports TLS extensions : yes > >> OpenSSL library supports SNI : yes > >> OpenSSL library supports prefer-server-ciphers : yes > >> Built with PCRE version : 8.30 2012-02-04 > >> PCRE library supports JIT : no (USE_PCRE_JIT not set) > >> Built with transparent proxy support using: IP_TRANSPARENT > >> IPV6_TRANSPARENT IP_FREEBIND > >> > >> Available polling systems : > >> epoll : pref=300, test result OK > >> poll : pref=200, test result OK > >> select : pref=150, test result OK > >> Total: 3 (3 usable), will use epoll. > >> > >> * conf : > >> > >> global > >> ssl-default-bind-ciphers > >> kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!RC4:!aNULL:!eNULL > >> ssl-default-bind-options no-sslv3 > >> > >> frontend cluster2:443 > >> bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt > >> /home/provisionning/cluster2.d > >> default_backend cluster2 > >> > >> any idea ? > >> > >> -- > >> Marc-Antoine > >> > > Hi, > > > > Might be related to your Openssl version :/ > > > > Baptiste > > > > -- Marc-Antoine
