On Sat, Feb 21, 2015 at 12:39 AM, NuSkooler <nuskoo...@gmail.com> wrote: > We have been in the process of deploying HAProxy as a SSL terminator > between our client software and back end services. In the testing > phases, everything is working great and looking good with one > exception: Some old client software that utilizes a Java SSL > implementation fail to connect and we end up with logs like this: > > [20/Feb/2015:15:49:51.632] https_frontend~ https_frontend/<NOSRV> > -1/-1/-1/-1/23 400 187 - - CR-- 0/0/0/0/0 0/0 "<BADREQ>" > > Without HAProxy in the mix, these same clients connect up to our > Mochiweb services (via SSL) just fine. Additionally, our newer clients > that are OpenSSL based communicate with HAProxy (termination) -> > Mochiweb (via HTTP) just fine as well. > > From what I can tell, it appears as though we may have a combination > of two bad things: > 1) Clients sending some sort of non-standard handshake > 3) Mochiweb has been allowing it. > > Some additional gritty details: > * socat 'show errors' shows 0 errors > * The same bad clients fail to connect to a OpenSSL s_server (logs below) > > Since we can't even properly connect to s_server, that may be the end > of the road for those clients. However, I'm hoping there may be > something that could be configured to allow them through HAProxy. > Below is a s_server log. Note the read failure at the end. A similar > capture in the view of Wireshark is below that. Lastly, *with* HAProxy > when the NOSRV/BADREQ is issued, the client is sent a encrypted 400 > Bad Request. > > Any help/tips appreciated! This represents a large client base that > unfortunately cannot be updated for the time being. If we cannot go > through HAProxy directly, the next step is to figure out a way to > route old clients around it :( >
Hi, Since HAProxy returns a 400, it means that the issue is above the SSL connection. You should enable HAProxy's stats socket and run the following command on it right after a 400 has been emitted: "show errors" Then HAProxy will print you why it has blocked the request and why it considered this request was not HTTP compliant. Baptiste