On 5/19/23 14:21, Zakharychev, Bob wrote:
ssl-default-bind-options no-tls-tickets ssl-min-ver TLSv1.2
<snip>
I'd suggest you try with ssl-default-bind-options as in my config, and maybe
ssl-default-bind-ciphers as well as these are for TLS <v1.3 and if that doesn't
help then downgrade quictls to 3.0.8+quic and see if that changes anything.
I have been unknowingly hampered in my tests by the fact that my
pacemaker cluster has been malfunctioning and moved the VIP to a
different server that did not have everything up to date. I added a
check for pacemaker status into my build scripts so it will warn me
about that particular problem with pacemaker. It keeps happening when I
reboot the servers for updates.
After thrashing the pacemaker cluster into obedience, I now have
everything fully functional and once again getting an A+ grade with this
config, haproxy 2.8dev12, and quictls 3.1.0:
ssl-default-bind-ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256
ssl-default-bind-ciphersuites
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2
Thanks,
Shawn
