Otdfbt

Why does the Saturn V have standalone inter-stage rings?

What can I do with a research project that is my university’s intellectual property?

Is it illegal to withhold someone's passport and green card in California?

How is hair tissue mineral analysis performed?

What is "industrial ethernet"?

Is "Busen" just the area between the breasts?

Impossible darts scores

Parameterize chained calls to a utility program in Bash

NSE Numerical IQ Test no.12: 759802, 358829, 847123,?

Can Ogre clerics use Purify Food and Drink on humanoid characters?

What does it mean to "control target player"?

Would it be a copyright violation if I made a character’s full name refer to a song?

How to remove this component from PCB

Employer wants to use my work email account after I quit

How does a pilot select the correct ILS when the airport has parallel runways?

What reason would an alien civilization have for building a Dyson Sphere (or Swarm) if cheap Nuclear fusion is available?

Who are the remaining King/Queenslayers?

How to draw this center trajectory of rolling ball?

Can humans ever directly see a few photons at a time? Can a human see a single photon?

Understanding the reasoning of the woman who agreed with King Solomon to "cut the baby in half"

How long would it take to cross the Channel in 1890's?

Java TreeMap.floorKey() equivalent for std::map

Why do all the teams that I have worked with always finish a sprint without completion of all the stories?

Relationship between woodwinds and brass in a marching band?

HAProxy SSL Handshake failure on one server but not the other

SSL routines:SSL23_WRITE:ssl handshake failuressl error handshake failure alertHaproxy SSL handshake failureSASL auth to LDAP behind HAPROXY with name mismatchesHow to Troubleshoot Nginx SSL Handshake failure?Random SSL Handshake failureDisabling weak protocols and ciphers in Centos with ApacheSSL/TLS handshake failureHAProxy SSL handshake failure when too many requests in short timeHaproxy 1.8 handshake failure problems for domain with multiple DNS

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I've been searching the net extensively but I'm not able to find a solution to this problem.

I have setup two servers behind KeepAlived and HAProxy. When both servers are up, I can see that both servers are hit (looking at the application logs) and that both work fine. However, when I take down the primary server, the clients are not able to connect to the second server and fail with SSL Handshake failure. Both servers have identical configurations for HAProxy and their SSL certificates are both identical.

My partial HAProxy configuration is:

listen authentication_service
 bind xxx.xxx.xxx.111:2222 ssl crt /etc/ssl/certs/mycert.pem ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+R$
 balance roundrobin
 option tcpka
 option tcplog
 server serv1 xxx.xxx.xxx.xx1:2222 check inter 2000 rise 2 fall 5
 server serv2 xxx.xxx.xxx.xx2:2222 check inter 2000 rise 2 fall 5

To re-iterate, serv1 on its own or together with serv2 works fine. It's only when I take down serv1 that I get the SSL failures.

The HAProxy log for the failure is:

Jan 3 14:21:08 serv-2 haproxy[9075]: [client ip address]:xyz
[03/Jan/2015:14:21:08.734] authentication_service/1: SSL handshake
failure

Would anyone be able to help me?

Many thanks in advance,

ssl haproxy

share|improve this question

asked Jan 3 '15 at 14:32

khakha

1035

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So haproxy is running on serv1 and serv2 as well, HA via keepalived? Does the public IP switch to serv2 when you take down serv1?
  
  – Felix Frank
  Jan 7 '15 at 13:13
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @FelixFrank Hi. Yes, The haproxy is running on both servers, so is keepalived. The public IP does indeed switch to serv2 when I take down serv1. The connection over HTTP also goes through fine. It's just the HTTPS connections that are throwing SSL Handshake exceptions.
  
  – kha
  Jan 7 '15 at 13:29
  

  
  
  
  

add a comment | 

0

I've been searching the net extensively but I'm not able to find a solution to this problem.

I have setup two servers behind KeepAlived and HAProxy. When both servers are up, I can see that both servers are hit (looking at the application logs) and that both work fine. However, when I take down the primary server, the clients are not able to connect to the second server and fail with SSL Handshake failure. Both servers have identical configurations for HAProxy and their SSL certificates are both identical.

My partial HAProxy configuration is:

listen authentication_service
 bind xxx.xxx.xxx.111:2222 ssl crt /etc/ssl/certs/mycert.pem ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+R$
 balance roundrobin
 option tcpka
 option tcplog
 server serv1 xxx.xxx.xxx.xx1:2222 check inter 2000 rise 2 fall 5
 server serv2 xxx.xxx.xxx.xx2:2222 check inter 2000 rise 2 fall 5

To re-iterate, serv1 on its own or together with serv2 works fine. It's only when I take down serv1 that I get the SSL failures.

The HAProxy log for the failure is:

Jan 3 14:21:08 serv-2 haproxy[9075]: [client ip address]:xyz
[03/Jan/2015:14:21:08.734] authentication_service/1: SSL handshake
failure

Would anyone be able to help me?

Many thanks in advance,

ssl haproxy

share|improve this question

asked Jan 3 '15 at 14:32

khakha

1035

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So haproxy is running on serv1 and serv2 as well, HA via keepalived? Does the public IP switch to serv2 when you take down serv1?
  
  – Felix Frank
  Jan 7 '15 at 13:13
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @FelixFrank Hi. Yes, The haproxy is running on both servers, so is keepalived. The public IP does indeed switch to serv2 when I take down serv1. The connection over HTTP also goes through fine. It's just the HTTPS connections that are throwing SSL Handshake exceptions.
  
  – kha
  Jan 7 '15 at 13:29
  

  
  
  
  

add a comment | 

I've been searching the net extensively but I'm not able to find a solution to this problem.

I have setup two servers behind KeepAlived and HAProxy. When both servers are up, I can see that both servers are hit (looking at the application logs) and that both work fine. However, when I take down the primary server, the clients are not able to connect to the second server and fail with SSL Handshake failure. Both servers have identical configurations for HAProxy and their SSL certificates are both identical.

My partial HAProxy configuration is:

listen authentication_service
 bind xxx.xxx.xxx.111:2222 ssl crt /etc/ssl/certs/mycert.pem ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+R$
 balance roundrobin
 option tcpka
 option tcplog
 server serv1 xxx.xxx.xxx.xx1:2222 check inter 2000 rise 2 fall 5
 server serv2 xxx.xxx.xxx.xx2:2222 check inter 2000 rise 2 fall 5

To re-iterate, serv1 on its own or together with serv2 works fine. It's only when I take down serv1 that I get the SSL failures.

The HAProxy log for the failure is:

Jan 3 14:21:08 serv-2 haproxy[9075]: [client ip address]:xyz
[03/Jan/2015:14:21:08.734] authentication_service/1: SSL handshake
failure

Would anyone be able to help me?

Many thanks in advance,

ssl haproxy

share|improve this question

asked Jan 3 '15 at 14:32

khakha

1035

listen authentication_service
 bind xxx.xxx.xxx.111:2222 ssl crt /etc/ssl/certs/mycert.pem ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+R$
 balance roundrobin
 option tcpka
 option tcplog
 server serv1 xxx.xxx.xxx.xx1:2222 check inter 2000 rise 2 fall 5
 server serv2 xxx.xxx.xxx.xx2:2222 check inter 2000 rise 2 fall 5

share|improve this question

asked Jan 3 '15 at 14:32

khakha

1035

share|improve this question

asked Jan 3 '15 at 14:32

khakha

1035

asked Jan 3 '15 at 14:32

khakha

1035

asked Jan 3 '15 at 14:32

khakha

1035

1 Answer
1

active

oldest

votes

0

The SSL stack on your serv2 is busted, apparently.

Things to check:

• Are the certificate files identical?


• Are the haproxy configs identical and currently loaded?


• Are the SSL libraries identical?

share|improve this answer

answered Jan 8 '15 at 14:12

Felix FrankFelix Frank

2,88511121

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, Yes and I have no idea how to check this. I'll try to figure out how to check the SSL libraries. Thank you for your help.
  
  – kha
  Jan 8 '15 at 17:47
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Try ldd $(which haproxy).
  
  – Felix Frank
  Jan 8 '15 at 17:48
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f656064%2fhaproxy-ssl-handshake-failure-on-one-server-but-not-the-other%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

The SSL stack on your serv2 is busted, apparently.

Things to check:

• Are the certificate files identical?


• Are the haproxy configs identical and currently loaded?


• Are the SSL libraries identical?

share|improve this answer

answered Jan 8 '15 at 14:12

Felix FrankFelix Frank

2,88511121

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, Yes and I have no idea how to check this. I'll try to figure out how to check the SSL libraries. Thank you for your help.
  
  – kha
  Jan 8 '15 at 17:47
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Try ldd $(which haproxy).
  
  – Felix Frank
  Jan 8 '15 at 17:48
  

  
  
  
  

add a comment | 

0

The SSL stack on your serv2 is busted, apparently.

Things to check:

• Are the certificate files identical?


• Are the haproxy configs identical and currently loaded?


• Are the SSL libraries identical?

share|improve this answer

answered Jan 8 '15 at 14:12

Felix FrankFelix Frank

2,88511121

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, Yes and I have no idea how to check this. I'll try to figure out how to check the SSL libraries. Thank you for your help.
  
  – kha
  Jan 8 '15 at 17:47
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Try ldd $(which haproxy).
  
  – Felix Frank
  Jan 8 '15 at 17:48
  

  
  
  
  

add a comment | 

The SSL stack on your serv2 is busted, apparently.

Things to check:

• Are the certificate files identical?


• Are the haproxy configs identical and currently loaded?


• Are the SSL libraries identical?

share|improve this answer

answered Jan 8 '15 at 14:12

Felix FrankFelix Frank

2,88511121

share|improve this answer

answered Jan 8 '15 at 14:12

Felix FrankFelix Frank

2,88511121

answered Jan 8 '15 at 14:12

Felix FrankFelix Frank

2,88511121

answered Jan 8 '15 at 14:12

Felix FrankFelix Frank

2,88511121