Hello Lukas, Thanks for your reply. You can find my additional information in your text below.
> Am 17.10.2014 um 01:32 schrieb Lukas Tribus <luky...@hotmail.com>: > > > Gonna need to see your configuration to be able to help you, especially ssl > and http related parts. ##--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global log 127.0.0.1 local2 debug alert chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4096 user haproxy group haproxy daemon nbproc 1 #ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option logasap option redispatch balance roundrobin timeout connect 10000 # default 10 second time out if a backend is not found timeout client 86400000 timeout server 300000 timeout queue 5000 maxconn 60000 retries 3 default_backend deny_backend #--------------------------------------------------------------------- # test configuration #--------------------------------------------------------------------- frontend test1 bind *:443 ssl crt /etc/pki/tls/certs/domain.com-haproxy.pem #ciphers HIGH:RC4-SHA:!ADH #ciphers AES:RC4:ALL:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!ECDH reqadd X-Forwarded-Proto:\ https acl nourl url / acl baseurl url /java-app acl is_websocket hdr(Upgrade) -i WebSocket acl is_websocket path_beg /java-app/r3 acl is_download path_beg /java-app/ acl admin_url path_beg /admin acl is_admin src 192.168.1.0/24 redirect location http://www.domain.com/ if nourl redirect location https://test.domain.com/java-app/ if baseurl use_backend test1_socket_backend if is_websocket use_backend test1_website_backend if is_download ! is_websocket use_backend private_monitoring if is_admin admin_url #-Backends------------------------------------------------------------ backend deny_backend option httpclose reqideny .* backend private_monitoring stats enable stats uri /admin?stats stats refresh 10s # Test1 backend test1_website_backend option httpclose server test1 <internal hostname>:8080 backend test1_socket_backend no option httpclose server test1 <internal hostname>:8080 #--------------------------------------------------------------------- — changing bind *:443 ssl crt /etc/pki/tls/certs/domain.com-haproxy.pem to bind *:81 (and removing the https line next to it) makes it run with stunnel. > > Out of the back of my mind I recall Java has problems with DHE cihpers > when the dh size is more than 1024 bits. Could that be your case? I read about it anywhere and was aware of it (a known problem with Java 7). I tested with the default of 1024 bit but also tried with other values. There was noch change in behavior. > > > Can you share a tcpdump capture of the failed handshake (don't forget -s0 > otherwise packets will be truncated). > 43 29.413080 <CLIENT> <HAPROXY> TCP 80 62199→443 [SYN] Seq=0 Win=65535 Len=0 MSS=1452 WS=16 TSval=666771533 TSecr=0 SACK_PERM=1 44 29.413184 <HAPROXY> <CLIENT> TCP 76 443→62199 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=1791798027 TSecr=666771533 WS=64 45 29.430494 <CLIENT> <HAPROXY> TCP 68 62199→443 [ACK] Seq=1 Ack=1 Win=132480 Len=0 TSval=666771557 TSecr=1791798027 46 29.435106 <CLIENT> <HAPROXY> SSLv2 213 Client Hello 47 29.440451 <HAPROXY> <CLIENT> TLSv1.2 1508 Server Hello 48 29.440473 <HAPROXY> <CLIENT> TLSv1.2 1134 Certificate 49 29.461553 <CLIENT> <HAPROXY> TCP 68 62199→443 [ACK] Seq=146 Ack=2507 Win=130000 Len=0 TSval=666771586 TSecr=1791798055 50 29.467494 <CLIENT> <HAPROXY> TCP 68 62199→443 [FIN, ACK] Seq=146 Ack=2507 Win=131072 Len=0 TSval=666771592 TSecr=1791798055 51 29.467675 <HAPROXY> <CLIENT> TCP 68 443→62199 [FIN, ACK] Seq=2507 Ack=147 Win=15552 Len=0 TSval=1791798082 TSecr=666771592 52 29.483925 <CLIENT> <HAPROXY> TCP 68 62199→443 [ACK] Seq=147 Ack=2508 Win=131072 Len=0 TSval=666771608 TSecr=1791798082 Thanks for your help in advance. Best regards, Heiko --- Heiko Burghardt IT Infrastructure -- .............................................................. Riege Software International GmbH Phone: +49 2159 91480 Mollsfeld 10 Fax: +49 2159 914811 40670 Meerbusch Web: www.riege.com Germany E-Mail: burgha...@riege.com -- -- Commercial Register: Managing Directors: Amtsgericht Neuss HRB-NR 4207 Christian Riege VAT Reg No.: DE120585842 Gabriele Riege Johannes Riege Tobias Riege .............................................................. YOU CARE FOR FREIGHT, WE CARE FOR YOU