Are you putting in DH parameters in mycert.pem? PFS depends on using DH algorithm to exchange and create a secret for the connection.
openssl dhparam 2048 >> mycert.pem should add the DH parameters to the cert file. Regards, Vivek On Mon, Dec 8, 2014 at 4:44 PM, Sander Rijken <san...@sanderrijken.nl> wrote: > System is Ubuntu 12.04 LTS server, with openssl 1.0.1 and haproxy 1.5.9 > > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > > > I'm currently using the following, started with the suggested [stanzas][1] > (formatted for readability, it is one long line in my config): > > bind 0.0.0.0:443 ssl crt mycert.pem no-tls-tickets ciphers \ > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: \ > > ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384: \ > > ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256: \ > AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3 > > [1]: https://gist.github.com/rnewson/8384304 > > ssllabs.com indicates FS is not used. When I disable all algorithms except > the ECDHE ones, I get SSL connection error (ERR_SSL_PROTOCOL_ERROR), so > something on the system doesn't support FS. > > Any ideas? > > > -- > Sander Rijken >