Connection closed during SSL handshake

Heiko Burghardt Fri, 17 Oct 2014 09:37:31 -0700

Hello Lukas,


> Am 17.10.2014 um 18:11 schrieb Lukas Tribus <luky...@hotmail.com>:
> 
>> Used the bind parameter before which did / does not help and
>> created a tcpdump with the mentioned settings (DH = 1024 Bit
>> and force tls) with your requested parameters.
> 
> Something doesn't add up.
> 
> The handshake you sent me is still negotiating TLSv1.2 and
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027), but:
> - Java 7 doesn't support TLSv1.2
> - Java 7 doesn't support this cipher
> - HAProxy with force-tlsv10 is supposed to force TLSv1.0
> 
> 
> 
> Are you sure this is a Java 7 JRE connecting? Are you
> sure forcetls is configured and HAProxy has been properly
> restarted?

The client used for the test has Oracle Java 1.7.0_72 (JDK) installed on Mac OS 
X 10.9. The bind is done this way:
—
bind *:443 ssl crt /etc/pki/tls/certs/domain-haproxy.pem force-tlsv10
—

Currently, I start haproxy manually with this command (in the same shell I edit 
the config file, thus I have to stop haproxy with CTRL-C for changes):
— 
haproxy -d -f /etc/haproxy/haproxy.cfg
— 

> Please also provide the output of "haproxy -vv".


HA-Proxy version 1.5.5 2014/10/07
Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Thanks again and best regards,
    Heiko

---
Heiko Burghardt
IT Infrastructure
-- 


..............................................................
Riege Software International GmbH  Phone: +49 2159 91480
Mollsfeld 10                       Fax: +49 2159 914811
40670 Meerbusch                    Web: www.riege.com
Germany                            E-Mail: burgha...@riege.com
--                                 --
Commercial Register:               Managing Directors:
Amtsgericht Neuss HRB-NR 4207      Christian Riege
VAT Reg No.: DE120585842           Gabriele  Riege
                                   Johannes  Riege
                                   Tobias    Riege
..............................................................
           YOU CARE FOR FREIGHT, WE CARE FOR YOU

Re: Switching Java client to Websocket with SSL // Connection closed during SSL handshake

Reply via email to