On Tue, Oct 21, 2014 at 04:56:31PM +0200, Thomas Heil wrote: > Hi, > > On 21.10.2014 16:26, John Leach wrote: > > Hi, > > > > I'm trying to disable sslv3 with the "no-sslv3" bind option, but it's > > not working. > > > > The option is accepted and the restart is successful, but sslv3 is still > > accepted: > > > > $ openssl s_client -ssl3 -connect localhost:443 > > > > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > > Server public key is 1024 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : SSLv3 > > Cipher : DHE-RSA-AES256-SHA > > Session-ID: > > D74EC1760F565669B7CD8D21636D05AABC9E047DAC94133E62240B3824EB8176 > > Session-ID-ctx: > > Master-Key: > > 11417200F033C2B542B4FA3A7DC3C00214EFE92C7709FD406014D047D75DBA40573447ED5808962211AF323860367DEE > > Key-Arg : None > > PSK identity: None > > PSK identity hint: None > > SRP username: None > > Start Time: 1413900818 > > > > double checked with nmap. > > > > Tested with haproxy 1.5.3 and 1.5.4 on Ubuntu 14.10, Fedora 20 and Centos 7. > > > > Config is as simple as: > > > > > > frontend myfrontend > > bind 0.0.0.0:443 ssl crt /etc/haproxy/mycert.pem no-sslv3 > > default_backend mybackend > > reqadd X-Forwarded-Proto:\ https > Ive checked your config on centos 7 with the official version 1.5.2 and > it works.
I also tried 1.5.2 on RHEL7 and it also works. Ryan > -- > # openssl s_client -ssl3 -connect 127.0.0.1:443 > CONNECTED(00000003) > 139825192679328:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert > handshake failure:s3_pkt.c:1257:SSL alert number 40 > 139825192679328:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure:s3_pkt.c:596: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : SSLv3 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1413903320 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > > > > > > I've also tried disabling tls too, and that seems to have no effect either. > > > > Lots of people are recommending this as a fix against the POODLE vuln, > > so it's quite critical! Any thoughts? > Could you post haproxy -vv? > Where does you package come from? Did you compile it by yourself? > > > Thanks, > > > > John. > > -- > > http://brightbox.com > > > > > > > cheers > thomas >
