Check handshake with tcpdump / wireshark to see what's happening. On Friday, April 24, 2015, <i...@linux-web-development.de> wrote:
> On 2015-04-23 17:11, Baptiste wrote: > >> On Thu, Apr 23, 2015 at 4:18 PM, <i...@linux-web-development.de> wrote: >> >>> SSLv3 is not allowed anywhere in our infrastructure, it is disabled >>> already. >>> >>> >> You did not catch the point. >> HAProxy may use SSLv3 to get connected to the server. >> so disable sslv3 on the server side on haproxy just to ensure this is >> not the root of the problem. >> Then we could investigate further. >> >> Baptiste >> > > I've limited the options on the backend to only allow > ECDHE-RSA-AES256-GCM-SHA384 and TLS1.2 and verified that this works with > s_client: > > s_client output: > [..] > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > [..] > Protocol : TLSv1.2 > > And set the following options in the HAProxy configuration: > > ssl-default-server-ciphers > ECDHE-RSA-AES128-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 > ssl-default-server-options no-sslv3 > > the backend servers now additionally have the the following options set: > > server apache_rem_1 1.2.3.4:12345 check maxconn 1000 maxqueue 5000 > check-ssl ssl verify required force-tlsv12 ca-file /etc/ssl/web.pem > > > So as far as I understand, HAProxy as well as the backend should both be > forced to use ECDHE-RSA-AES256-GCM-SHA384/TLS1.2 but I still get the same > error(>>Layer6 invalid response, info: "SSL handshake failure"<<). > > Anything I missed? > > -- -- With regards, Eugene Sudyr