I want to emphasize that the following test succeeded:
[root@proxy-au51 ~]# openssl s_client -connect 10.106.75.53:50443 -tls1
CONNECTED(00000003)
depth=0 /C=IL/ST=Israel/L=Raanana/O=Comverse/OU=VI/CN=Gal Siman-Tov
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IL/ST=xxxxxx/L=Raxxxxxxanana/O=xxxxxx/OU=VI/CN=Gal Siman-Tov
verify return:1
---
Certificate chain
0 s:/C=IL/ST=xxxx/L=Raanana/O=Comverse/OU=VI/CN=xxxxxxxx
i:/C=IL/ST=Isrxxxxael/L=Raanana/O=Comverse/OU=VI/CN=xxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIEODZqEjANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJJ
TDEPMA0GA1UECBMGSXNyYWVsMRAwDgYDVQQHEwdSYWFuYW5hMREwDwYDVQQKEwhD
b212ZXJzZTELMAkGA1UECxMCVkkxFjAUBgNVBAMTDUdhbCBTaW1hbi1Ub3YwHhcN
MTUwMjA0MTc1MzE3WhcNMjUwMjAxMTc1MzE3WjBoMQswCQYDVQQGEwJJTDEPMA0G
A1UECBMGSXNyYWVsMRAwDgYDVQQHEwdSYWFuYW5hMREwDwYDVQQKEwhDb212ZXJz
ZTELMAkGA1UECxMCVkkxFjAUBgNVBAMTDUdhbCBTaW1hbi1Ub3YwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCNZK+US6c8d7tYea/scluOkvJGV8VyA7vE
46VJk1J0s8dZtO6W+eqq/vu+oq0sIzdmdkmUeVtSniLEhFezCZ3v03tX0JhdfX3j
Fy6m9TWUHIsBwFkbYBDDYZhAiHkc7WddaNIhsYeaamDuzJfVtJgjqTsfQtV0xLka
COiJuuKyeI9n1X6WP+6HLsL5ojZ+dojDZ2hVH5FKZQlyDhwS316ju99mesAgFUTo
Nv/Pmja8kY/Yhvc65H9qi1Wjhj9lorwvgRiMJpH0fxi3Ql2QQVEMBNdUybN7bKvj
sqAXlz7f0zrvJ95+I80quvFiuVN89K3ZRVqp5duAlRtNtbhntjybAgMBAAGjITAf
MB0GA1UdDgQWBBSE0La+5RhFg6j4Ugwb35ThELljyDANBgkqhkiG9w0BAQUFAAOC
AQEAT+K7pyymL/zJnbaEDGQj6GZM/qtjj92uEzfeNkiWD0v33CL39FnF4vedXvSr
ArzgosqCXYVjYjRurd7wCQCKEO6qCA4R8oAiFtJE7+8ec0Qcrl9kYt6TAZrOS1VE
Kj5HYMPg2UgW49s7/0r29XV+x7wuMAsdlaEoDhLTyg/ttP8AxJJZHWSIDYnmzu6x
TNAdBMWMADXsH1KejOCJNv1F6QkKz0LzStm9D1FekhMzJNe1ySxYkuO8YKtXYOla
Q/p2zK+f5qeFwSQBGzTK26SzaY2NF8DbzptbFCNAJMqJujEL5C2hijxUJidrqh38
tzTzqay2P3NOFu/kgOFuihDq/g==
-----END CERTIFICATE-----
subject=/C=IL/ST=Israel/L=Raanana/O=Comverse/OU=VI/CN=Gal Siman-Tov
issuer=/C=IL/ST=Israel/L=Raanana/O=Comverse/OU=VI/CN=Gal Siman-Tov
---
No client certificate CA names sent
---
SSL handshake has read 1042 bytes and written 414 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 565ED9FB74A01720D18A2CF312E23565C5143CA8295A30165634352CB635CA02
Session-ID-ctx:
Master-Key:
52C850B4C0D022CA6D32C1CF6F2069BB8A11475EB10C8EEE6FC524295C3EEDC08EF58A8A3FBD50428D29EEFDADE653A1
Key-Arg : None
Krb5 Principal: None
Start Time: 1449056763
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
* OK IMAP4 proxy ready (Multi Interface Supplementing Tunnel)
Should I just add to haproxy.cfg the following?
defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000
force-tlsv10
-----Original Message-----
From: Lukas Tribus [mailto:[email protected]]
Sent: Wednesday, December 02, 2015 11:25 AM
To: Igor Cicimov
Cc: Cohen Galit; HAProxy
Subject: RE: SSLv2Hello is disabled
>>>> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
>>> You need to disable SSLv3 in haproxy
>>
>> We are talking about the SSLv2 hello format. Its not about SSLv2
>> or SSLv3, its about the hello format.
> Which can also be used by sslv3 clients hence my comment.
True, but disabling or enabling SSLv3 doesn't impact the hello format
behavior in OpenSSL afaik.
> However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which
> makes openssl not use the SSLv2 Hello, so I don't see why this would
> happen.
This is the openssl behavior since 0.9.8:
http://cp.mcafee.com/d/avndxNJ5xwQsToupK-rKrjhpKCOyyCYrhhhsKYUM-qejqqbdSknxPP9IKyr8WvavmGj-0a3SUXOVIfrzLbCXKL4fvsvW_cEThuKPRXBQSrIsUMyyY-NR4kRHFGTohVkffGhBrwqrhdECXY-UUOYevovsdTdAVPmEBC4pj9JAenOGTMFg_aHv2B3YnlBfbemjZB5BZ11OPHGq90wNp2X-IL6zB4w-WwxZS3hOe76PSOFoKOe1heINfBPqrybxI5zihEw61waCkMLVVZjh1axEwgBji1_E6QT3uqJKGV6N
Maybe the OP uses an ancient openssl version (<= 0.9.7).
Galit, can you provide the ouput of "haproxy -vv"?
Also please clarify if you are authenticating the client and/or the server.
Providing a tcpdump of this failed handshake would also be helpful.
Regards,
Lukas
________________________________
"This e-mail message may contain confidential, commercial or privileged
information that constitutes proprietary information of Xura, Inc. or its
subsidiaries. If you are not the intended recipient of this message, you are
hereby notified that any review, use or distribution of this information is
absolutely prohibited and we request that you delete all copies and contact us
by e-mailing to: [email protected]. Thank You."
