On 2015-04-23 17:11, Baptiste wrote:
On Thu, Apr 23, 2015 at 4:18 PM, <i...@linux-web-development.de>
wrote:
SSLv3 is not allowed anywhere in our infrastructure, it is disabled
already.
You did not catch the point.
HAProxy may use SSLv3 to get connected to the server.
so disable sslv3 on the server side on haproxy just to ensure this is
not the root of the problem.
Then we could investigate further.
Baptiste
I've limited the options on the backend to only allow
ECDHE-RSA-AES256-GCM-SHA384 and TLS1.2 and verified that this works with
s_client:
s_client output:
[..]
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
[..]
Protocol : TLSv1.2
And set the following options in the HAProxy configuration:
ssl-default-server-ciphers
ECDHE-RSA-AES128-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
ssl-default-server-options no-sslv3
the backend servers now additionally have the the following options set:
server apache_rem_1 1.2.3.4:12345 check maxconn 1000 maxqueue
5000 check-ssl ssl verify required force-tlsv12 ca-file /etc/ssl/web.pem
So as far as I understand, HAProxy as well as the backend should both be
forced to use ECDHE-RSA-AES256-GCM-SHA384/TLS1.2 but I still get the
same error(>>Layer6 invalid response, info: "SSL handshake failure"<<).
Anything I missed?
