no-tlsv11 no-tlsv10 no-sslv3
This configuration is correct, the configuration may not be properly applied (old haproxy instance running in the background with old configurations), you may hit a bug, or your measurements may not be accurate.
Provide the output of haproxy -vv
and openssl outputs from the haproxy machine (not a far end device crossing firewalls and other security devices, you may have SSL intercepting devices in the path), but 127.0.0.1:443
:
openssl s_client -tls1 127.0.0.1:443
openssl s_client -tls1_1 127.0.0.1:443
openssl s_client -tls1_2 127.0.0.1:443