I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1, installed via standard repositories.
I don't want to go into debugging levels of detail here, but instead will provide a synopsis in the hopes someone knows of a bug already or can confirm it warrants further investigation. Systems details: [root@(redacted) ~]# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) [root@(redacted) ~]# haproxy --version HA-Proxy version 1.5.4 2014/09/02 Copyright 2000-2014 Willy Tarreau <[email protected]> (redacted) [root@(redacted) ~]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 [root@(redacted) ~]# uname -a Linux (redacted) 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Redacted configuration: global daemon chroot /var/lib/haproxy group haproxy log 127.0.0.1 local2 tune.ssl.default-dh-param 2048 user haproxy stats socket /var/lib/haproxy/stats level admin maxconn 30000 pidfile /var/run/haproxy.pid #ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA #ssl-default-bind-options no-tls-tickets -- as a side note, this is an unknown option to 1.5.4 defaults retries 3 log global timeout http-request 10s timeout queue 10s timeout connect 10s timeout client 10s timeout server 10s timeout http-keep-alive 10s timeout check 10s mode http balance roundrobin option dontlognull option redispatch frontend https-in (redacted ...) bind 0.0.0.0:443 ssl no-sslv3 crt /etc/ssl/certs/(redacted) redirect scheme https if !{ ssl_fc } default_backend client option httplog (redacted ...) (redacted ...) Quite a lot has been removed from here for security reasons, so I apologise if this obstructs efforts to help with this issue. In the above configuration, the key component here is 'ssl-default-bind-ciphers'. With this line commented out, as it is above, Qualys SSL Server Test (https://www.ssllabs.com/ssltest/index.html) brings our HAProxy instance to its knees when it reaches the stage of, "Testing deprecated cipher suites". With the line uncommented, and HAProxy restarted, the tests pass fine and we come away with an A rating. As this is a semi-production system, I can't currently spend the time taking out each cipher one at a time to determine which one could be causing the issue, but I can at a later date if someone feels the need. And again, I can and will go into more detail if you peeps feel the need is there to do so. Regards, Michael C.
