-----Original Message----- From: Lukas Tribus [mailto:[email protected]] Sent: Wednesday, December 02, 2015 4:42 PM To: Cohen Galit; Igor Cicimov Cc: HAProxy Subject: RE: SSLv2Hello is disabled
Hi Galit, > I want to emphasize that the following test succeeded: > > [root@proxy-au51 ~]# openssl s_client -connect 10.106.75.53:50443 -tls1 > > CONNECTED(00000003) Ok. > Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006 > Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 I don't like this. build against an older non-fips 0.9.8b while running with 0.9.8e-fips. This could be very well cause issues here. Let me guess, RPMs have not been installed via the original repository, but via third party RPM website from Google, right? Thats not good. [Cohen Galit] I'm sorry, I can't answer that since I got this rpm as is.. I'll try to pack again the OpenSSL files (must work with rpm) from original repository and will let you know. Thanks. > Should I just add to haproxy.cfg the following? > force-tlsv10 Yes, you can try: global ssl-default-server-options no-sslv3 or: global ssl-default-server-options force-tlsv10 But I'm afraid it may be more complex than that ... Regards, Lukas ________________________________ "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [email protected]. Thank You."
