>>>> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled >>> You need to disable SSLv3 in haproxy >> >> We are talking about the SSLv2 hello format. Its not about SSLv2 >> or SSLv3, its about the hello format. > Which can also be used by sslv3 clients hence my comment.
True, but disabling or enabling SSLv3 doesn't impact the hello format behavior in OpenSSL afaik. > However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which > makes openssl not use the SSLv2 Hello, so I don't see why this would > happen. This is the openssl behavior since 0.9.8: https://github.com/openssl/openssl/commit/c6c2e3135dd6cff21bb4cd05a3891b5fdde04977 Maybe the OP uses an ancient openssl version (<= 0.9.7). Galit, can you provide the ouput of "haproxy -vv"? Also please clarify if you are authenticating the client and/or the server. Providing a tcpdump of this failed handshake would also be helpful. Regards, Lukas
