Haproxy 1.8.8 SSL handshake failure


#1

Hi Community,

i dont know why, but my haproxy throws me severals time a “SSL handshake failure” like this:

Jul 18 15:35:43 proxy1 haproxy[6477]: 192.168.100.100:51019 [18/Jul/2018:15:35:43.294] www-https/1: SSL handshake failure
Jul 18 15:35:43 proxy1 haproxy[6474]: 192.168.100.100:51020 [18/Jul/2018:15:35:43.294] www-https/1: SSL handshake failure
Jul 18 15:35:43 proxy1 haproxy[6464]: 192.168.100.100:51022 [18/Jul/2018:15:35:43.366] www-https/1: SSL handshake failure

The certificate is correct, valid and contains chain.

Here is my config file:

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10240
nbproc 8
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
cpu-map 4 3
cpu-map 5 4
cpu-map 6 5
cpu-map 7 6
cpu-map 8 7
nbthread 8
cpu-map auto:1/1-8 0-7
stats bind-process 8
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option forwardfor
option http-server-close
option  httplog
option  dontlognull
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth admin:admin
timeout connect 50000
#timeout connect 5000
timeout client  50000
timeout server  50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend www-backend

frontend www-https
bind *:443 ssl crt /etc/ssl/private/cert.full.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend

backend www-backend
balance source
hash-type consistent
cookie SERVERID insert indirect nocache
redirect scheme https if !{ ssl_fc }
http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
server Server1 srv1.example.com:80 check cookie Server1
server Server2 srv2.example.com:80 check cookie Server2
server Server3 srv3.example.com:80 check cookie Server3