Hello, On Tue, 2021-01-19 at 15:40 +0530, Amol Arote wrote: > After upgrading haproxy 2.3.2 we are facing the below ssl tls issue while > connecting links internally, but when we check web browsing its auto > getting tls 1.2 there is no such issue.when connecting internal links its > not getting tls 1.2 its showing tls 1.0 and showing below error message. > > org.apache.commons.httpclient.HttpMethodDirector executeWithRetry > INFO: I/O exception (javax.net.ssl.SSLException) caught when processing > request: Received fatal alert: protocol_version > > earlier we are using HA-Proxy version 2.1.2 where everything working fine > we are using centos 7.6 and Java 1.7
AFAIK haproxy-2.2 defaults to tls1.2 on bind: (MEDIUM: ssl: use TLSv1.2 as the minimum default on bind lines) https://www.haproxy.org/download/2.3/src/CHANGELOG Can you connect to haproxy with tls1.0: openssl s_client -connect your-haproxy-ip:443 -tls1 You can try to enable tls1.0 on server bind with: ssl-min-ver TLSv1.0 https://cbonte.github.io/haproxy-dconv/2.3/configuration.html#5.1-ssl-min-ver (Also AFAIK up2date java-1.7 should be able to use tls1.2). -Jarno -- Jarno Huuskonen
