So I’ve done some more research and wanted to match all ciphers on the AWS loadbalancer. I noticed that the AWS loadbalancer had the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA, which was not available on my loadbalancer.

As I’ve installed Ubuntu 18.04 for our new loadbalancers, we also got a new version of openssl, version 1.1.0g. And as of version 1.1.x of openssl, 3DES is disabled by default.

After installing a new loadbalancer with Ubuntu 16.04, shipped with openssl 1.0.2g (easier as downgrading openssl), we were able to configured HAProxy to match the ciphers of the AWS loadbalancer.

Running the same tests give us the following results:

echo > /var/log/haproxy.log && service haproxy reload && date

Fri Sep 7 10:20:34 CEST 2018

date && echo -n "Failures: " && cat /var/log/haproxy.log | grep ‘SSL handshake failure’ | wc -l && echo ‘show info’ | sudo socat - /var/run/haproxy.sock | grep CumSslConns

Fri Sep  7 10:30:04 CEST 2018
Failures: 14
CumSslConns: 28575

As you can see, these counters are much better! We still have to ask ourself the question why there’s so much traffic working on these old ciphers and is it worth to keep supporting them, but thats a whole other question.

I think we can mark this topic as resolved. Thank you very much for the support @lukastribus!