This specific Backend in my test lab is an IIS machine, but in
production I have OpenBSD/HAProxy in front of IIS, Apache, Tomcat,
I'm not doing anything fancy either... although the certificate in the
lab is signed by an internal CA.

Here's the relevant output from openssl s_client: The cert verifies
perfectly fine.
openssl s_client -connect
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: C01300008246D3973B3106A378C0DB503D4BCDE02C6461AB073949027C90CDCF
    Start Time: 1593970747
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

and Netcat:
nc -zv 443
Connection to 443 port [tcp/https] succeeded!

On Fri, Jul 3, 2020 at 9:40 PM Daniel Jakots <> wrote:
> On Fri, 3 Jul 2020 19:14:17 -0400, Henry Bonath <>
> wrote:
> > Daniel,
> >
> > Thanks for taking the time to test this out.
> > I just reloaded a test machine from scratch with -current and
> > installed the HAProxy 2.0.15-4f39279 package.
> > I loaded a very basic config file, and am also seeing the same exact
> > issue on this one as well.
> > Very strange that you are not -
> > Would you mind sharing any additional details of your config file?
> > Is there anything special about the certificate you have on the
> > backend server?
> >
> > I would love to understand what is going on here and what the
> > difference is with my experience.
> What is your backend running? Can you connect from the haproxy host with
> nc(1) and/or openssl(1)?
> I try to do my stuff as vanilla as possible so it's an RSA key signed
> by LE.

Reply via email to