Hi, well, i finally find the problem : I was using bad CAfile (good one is /etc/ssl/certs/GlobalSign_Root_CA.pem) damned openssl that did not tell anything :(
Regards, 2016-02-10 17:26 GMT+01:00 Beluc <[email protected]>: > It's working, server is UP. > > 2016-02-10 17:21 GMT+01:00 Baptiste <[email protected]>: >> On Wed, Feb 10, 2016 at 5:11 PM, Beluc <[email protected]> wrote: >>> Hi, >>> >>> I can't find out why ssl check is not working while openssl return is ok. >>> >>> global >>> ssl-default-bind-ciphers >>> kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!RC4:!aNULL:!eNULL >>> >>> backend ABC >>> mode http >>> server 1.2.3.4 1.2.3.4:443 check ssl verify required ca-file >>> /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem >>> >>> >>> # echo Q | openssl s_client -connect 1.2.3.4:443 -CAfile >>> /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem -cipher >>> 'kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kRSA+AES:+AES256:!kEDH:!LOW:!EXP:!MD5:!RC4:!aNULL:!eNULL' >>> CONNECTED(00000003) >>> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA >>> verify return:1 >>> depth=1 O = AlphaSSL, CN = AlphaSSL CA - G2 >>> verify return:1 >>> depth=0 C = FR, OU = Domain Control Validated, CN = sslABC >>> verify return:1 >>> --- >>> Certificate chain >>> 0 s:/C=FR/OU=Domain Control Validated/CN=sslABC >>> i:/O=AlphaSSL/CN=AlphaSSL CA - G2 >>> 1 s:/O=AlphaSSL/CN=AlphaSSL CA - G2 >>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA >>> 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA >>> i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA >>> --- >>> Server certificate >>> -----BEGIN CERTIFICATE----- >>> [...] >>> -----END CERTIFICATE----- >>> subject=/C=FR/OU=Domain Control Validated/CN=sslABC >>> issuer=/O=AlphaSSL/CN=AlphaSSL CA - G2 >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 3289 bytes and written 523 bytes >>> --- >>> New, TLSv1/SSLv3, Cipher is AES256-SHA >>> Server public key is 2048 bit >>> Secure Renegotiation IS supported >>> Compression: NONE >>> Expansion: NONE >>> SSL-Session: >>> Protocol : TLSv1 >>> Cipher : AES256-SHA >>> Session-ID: >>> Session-ID-ctx: >>> Master-Key: [...] >>> Key-Arg : None >>> PSK identity: None >>> PSK identity hint: None >>> SRP username: None >>> Start Time: 1455120471 >>> Timeout : 300 (sec) >>> Verify return code: 0 (ok) >>> --- >>> DONE >>> >>> I also forced tlsv1 use without success. >>> >>> Did I miss something ? >>> >>> Regards >>> >> >> What happens when you use "verify none" ? >> >> Baptiste
