Hello,
Due to connection limit problems I´d like to remove stunnel from a
configuration in front of haproxy.
The original setup was:
- stunnel was responsible for the SSL(https) connection
- using localhost the web traffic was transferred to haproxy
- haproxy divided traffic into web page requests and the Java software tunnel
to an application server via websocket.
I updated haproxy from version 1.4.2 to 1.5.5 on a Red Hat Enterprise Linux 6.5
host and the mentioned setup still worked fine. Using a test system I tried to
add the SSL functionality directly to haproxy and removed stunnel from the
setup.
The web pages are still working with any crypto protocols and ciphers but the
upgrade to websocket does not work anymore. I can see that the Java client
sends initial packets to start the encryption but drops the connection with a
FIN+ACK after haproxy sends a TLSv1.2 proposal. The haproxy log then tells:
Connection closed during SSL handshake
Additionally, I testet all the crypto protocol options in the Java control
panel from SSLv3 up to TLSv1.2 — all with the same result. There is no
additional crypto library implemented in the client software, so it depends
completely on the Java settings. I used a very recent version of Java 7 for my
tests.
Does somebody have further ideas what I might have overseen?
Thanks in advance.
Best regards,
Heiko
---
Heiko Burghardt
IT Infrastructure
