Most likely your back-end servers use only legacy cyphers. Check your
the setup.
In config.c we have
SSL_CTX_clear_options(res->ctx,
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT);
for the back-ends - comment them out if you really must.
On 27/10/15 17:03, Maciej Szeliga wrote:
> I am getting the following in the log:
>
> okt 27 17:00:47 dmz-kraken-1 pound[7383]: BIO_do_handshake with
> 192.168.250.101:443 failed: error:1412F152:SSL
> routines:SSL_PARSE_SERVERHELLO_TLSEXT:unsafe legacy renegotiation
> disabled
> okt 27 17:00:47 dmz-kraken-1 pound[7383]: BIO_do_handshake with
> 192.168.250.101:443 failed: error:1412F152:SSL
> routines:SSL_PARSE_SERVERHELLO_TLSEXT:unsafe legacy renegotiation
> disabled
>
> /Maciej
>
>
>
>
>
> Fra: Scott McKeown <[email protected]>
> Til: Pound Mailing List <[email protected]>
> Dato: 27-10-2015 15:46
> Emne: Re: [Pound Mailing List] SSL Backend not responding after
> upgrade from 2.6 to 2.7
>
> ------------------------------------------------------------------------
>
>
>
> Hi Maciej,
>
> If you backends are using HTTPS or a cert you should set the 'HTTPS'
> flag in the backend section of your pound configuration file.
>
> *HTTPS* [ "cert" ]
> The back-end is using HTTPS. If the optional parameter /cert/ is
> specified, *Pound* will present this certificate to the back-end.
>
>
>
> On 27 October 2015 at 14:17, Maciej Szeliga <[email protected]_
> <mailto:[email protected]>> wrote:
> Hi
>
> I've just upgraded our pound from ver. 2.6 to ver. 2.7
> After this upgrade we are not able to connect to an older SSLv3
> backend with https
>
> pound.cfg has Disable SSL2 and Disable SSL3 statements but afaik this
> only affected the frontend.
>
> Is this a new feature (and is there a way to disable it) ?
>
> The backend is running with a "fake" certificate, not a self signed
> but signed by a nonexisting CA, it has however been working on pound
> ver. 2.6
>
> NB. The backend can't be reconfigured to run http easily.
>
>
> /Maciej-- To unsubscribe send an email with subject unsubscribe to
> [email protected]_ <mailto:[email protected]>. Please contact
> [email protected]_ <mailto:[email protected]>for questions.
>
>
>
> --
> With Kind Regards.
>
> Scott McKeown
> Loadbalancer.org_
> __http://www.loadbalancer.org_ <http://www.loadbalancer.org/>
> Tel (UK) - +44 (0) 3303801064 (24x7)
> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>
> -- To unsubscribe send an email with subject unsubscribe to
> [email protected]. Please contact [email protected] for questions.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
