On 02/12/2015 10:19 AM, "Lukas Tribus" <luky...@hotmail.com> wrote: > > > On 02/12/2015 12:41 AM, "Cohen Galit" > > <galit.co...@xura.com<mailto:galit.co...@xura.com>> wrote: > > > > > > Hello, > > > > > > > > > > > > When HAProxy 1.5.9 is trying to sample our servers with this > > configuration: tcp-check connect port 50443 ssl > > > > > > > > > > > > Our servers returns an error: > > > > > > > > > > > > 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)] > > [e8d05153-267f-4378-9a97-5245391ffe26] [] ERROR > > connection.SSLHandshakeStartPointListener > > (SSLHandshakeStartPointListener.java:onFailure :80) - SSL/TLS handshake > > failed with client identified by > > /10.106.75.51:35892<http://10.106.75.51:35892> > > Do you authenticate the client and/or the server? > > > > > > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > > You need to disable SSLv3 in haproxy > > We are talking about the SSLv2 hello format. Its not about SSLv2 > or SSLv3, its about the hello format. Which can also be used by sslv3 clients hence my comment.
> > However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which > makes openssl not use the SSLv2 Hello, so I don't see why this would > happen. > > I think the error message from Tomcat about the SSLv2Hello is irrelevant > and misleading and you actually have a simple authentication problem. > > > > Regards, > > Lukas > >