Re: check ssl

Baptiste Wed, 10 Feb 2016 08:22:52 -0800

On Wed, Feb 10, 2016 at 5:11 PM, Beluc <[email protected]> wrote:
> Hi,
>
> I can't find out why ssl check is not working while openssl return is ok.
>
> global
>     ssl-default-bind-ciphers
> kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!RC4:!aNULL:!eNULL
>
> backend ABC
>     mode http
>     server 1.2.3.4 1.2.3.4:443 check ssl verify required ca-file
> /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem
>
>
> # echo Q | openssl s_client -connect 1.2.3.4:443 -CAfile
> /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem -cipher
> 'kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!RC4:!aNULL:!eNULL'
> CONNECTED(00000003)
> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
> verify return:1
> depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2
> verify return:1
> depth=0 C = FR, OU = Domain Control Validated, CN = sslABC
> verify return:1
> ---
> Certificate chain
>  0 s:/C=FR/OU=Domain Control Validated/CN=sslABC
>    i:/O=AlphaSSL/CN=AlphaSSL CA - G2
>  1 s:/O=AlphaSSL/CN=AlphaSSL CA - G2
>    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>  2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> subject=/C=FR/OU=Domain Control Validated/CN=sslABC
> issuer=/O=AlphaSSL/CN=AlphaSSL CA - G2
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3289 bytes and written 523 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key: [...]
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1455120471
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> DONE
>
> I also forced tlsv1 use without success.
>
> Did I miss something ?
>
> Regards
>


What happens when you use "verify none" ?

Baptiste

Re: check ssl

Reply via email to