> On 02/12/2015 12:41 AM, "Cohen Galit"
> <galit.co...@xura.com<mailto:galit.co...@xura.com>> wrote:
> >
> > Hello,
> >
> >
> >
> > When HAProxy 1.5.9 is trying to sample our servers with this
> configuration: tcp-check connect port 50443 ssl
> >
> >
> >
> > Our servers returns an error:
> >
> >
> >
> > 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)]
> [e8d05153-267f-4378-9a97-5245391ffe26] [] ERROR
> connection.SSLHandshakeStartPointListener
> (SSLHandshakeStartPointListener.java:onFailure :80) - SSL/TLS handshake
> failed with client identified by
> /10.106.75.51:35892<http://10.106.75.51:35892>
Do you authenticate the client and/or the server?
> > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> You need to disable SSLv3 in haproxy
We are talking about the SSLv2 hello format. Its not about SSLv2
or SSLv3, its about the hello format.
However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which
makes openssl not use the SSLv2 Hello, so I don't see why this would
happen.
I think the error message from Tomcat about the SSLv2Hello is irrelevant
and misleading and you actually have a simple authentication problem.
Regards,
Lukas
