Thanks, all, for your help!
For your questions: I use openssl 0.9.8 Haproxy -vv: [root@proxy-au51 ~]# haproxy -vv HA-Proxy version 1.5.9 2014/11/25 Copyright 2000-2014 Willy Tarreau <[email protected]> Build options : TARGET = linux26 CPU = i686 CC = gcc CFLAGS = -m32 -march=i686 -O2 -march=i686 -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006 Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : no (version might be too old, 0.9.8f min needed) OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 6.6 06-Feb-2006 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Currently only the server requires authentication in TLS only (!) and the haproxy configured as check verify none for all servers. -----Original Message----- From: Lukas Tribus [mailto:[email protected]] Sent: Wednesday, December 02, 2015 11:25 AM To: Igor Cicimov Cc: Cohen Galit; HAProxy Subject: RE: SSLv2Hello is disabled >>>> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled >>> You need to disable SSLv3 in haproxy >> >> We are talking about the SSLv2 hello format. Its not about SSLv2 >> or SSLv3, its about the hello format. > Which can also be used by sslv3 clients hence my comment. True, but disabling or enabling SSLv3 doesn't impact the hello format behavior in OpenSSL afaik. > However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which > makes openssl not use the SSLv2 Hello, so I don't see why this would > happen. This is the openssl behavior since 0.9.8: http://cp.mcafee.com/d/avndxNJ5xwQsToupK-rKrjhpKCOyyCYrhhhsKYUM-qejqqbdSknxPP9IKyr8WvavmGj-0a3SUXOVIfrzLbCXKL4fvsvW_cEThuKPRXBQSrIsUMyyY-NR4kRHFGTohVkffGhBrwqrhdECXY-UUOYevovsdTdAVPmEBC4pj9JAenOGTMFg_aHv2B3YnlBfbemjZB5BZ11OPHGq90wNp2X-IL6zB4w-WwxZS3hOe76PSOFoKOe1heINfBPqrybxI5zihEw61waCkMLVVZjh1axEwgBji1_E6QT3uqJKGV6N Maybe the OP uses an ancient openssl version (<= 0.9.7). Galit, can you provide the ouput of "haproxy -vv"? Also please clarify if you are authenticating the client and/or the server. Providing a tcpdump of this failed handshake would also be helpful. Regards, Lukas ________________________________ "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [email protected]. Thank You."
