On 2015-02-21 05:15, Lukas Tribus wrote:
Out of the blue, I would suggest to make sure DH params for DHE
ciphers
are fixed to 1024 bit (known Java limitation to only support 1024 bit
with
DHE ciphers in the older releases) - this can be either in the
certificate
file or generated by haproxy at startup (in which case its
configurable with
tune.ssl.default-dh-param) and to set the other parameters as
mentioned in:
https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
DH size is indeed an important factor with older java clients. Using a
certificate
with a SHA-256 signature will also break older clients.
Could you run cipherscan against your haproxy endpoint and post the
results here?
https://github.com/jvehent/cipherscan
- Julien