Hi Julien,
> SSLdump taken from the server: Mmh, there is not much to read from this. Could the tcpdump the failed handshake (remember to use -s 0 to avoid truncating the packets) and provide the pcap file? > Is anybody using ECDHE with haproxy from git at > 506d050600ffa767345766bdc19752284c971a9f ? It does work for me (ECDHE-RSA-AES256-SHA works, ECDHE-RSA-AES256-GCM-SHA384 results in "no ciphers available", but thats a different issue - its probably disabled somewhere): > lukas@ubuntuvm:~/haproxy$ ./haproxy -vv > HA-Proxy version 1.5-dev19-12 2013/07/06 > [...] > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1 > USE_TFO=1 > [...] > Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 > [...] > lukas@ubuntuvm:~/haproxy$ openssl s_client -connect 10.0.0.55:443 -cipher > ECDHE-RSA-AES256-GCM-SHA384 > CONNECTED(00000003) > 3074357448:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers > available:s23_clnt.c:469: > [...] > lukas@ubuntuvm:~/haproxy$ openssl s_client -connect 10.0.0.55:443 -cipher > ECDHE-RSA-AES256-SHA > CONNECTED(00000003) > [...] > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > [...] > I suspect the issue lies somewhere in the static build of openssl, but > since I followed the doc and didn't add anything funky, I'm not sure > what to look at next... First thing I would do is to try OpenSSL stable, really. Even if the client correctly works with ECDHE, it doesn't mean it fully works in all conditions. Regards, Lukas
