NO-TLSV11 - Layer 4 timeout on backend

We are trying to remediate a security finding on one of our HAProxy endpoints. we currently have this line and everything works ok
ssl-default-bind-options no-sslv3 no-tlsv10
we then add the no-tlsv11 option to the bind setting and some of our backend servers timeout or wont connect.
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

ERROR:
Server bk_exchange_2016_smtp/Server3 is DOWN, reason: Layer4 timeout, info: " at step 1 of tcp-check", check duration: 5001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue

the Frontend cfg section is as follows (substituting IPs with xxx)

frontend ft_exchange_2016_smtp
option contstats
no option http-server-close
timeout client 1m
log global
option tcplog
bind xxx.xxx.xxx.xxx:25
mode tcp
default_backend bk_exchange_2016_smtp

backend bk_exchange_2016_smtp
option tcp-check
tcp-check expect string 220
option redispatch
balance leastconn
mode tcp
log global
default-server inter 5s rise 2 fall 3
server server1 server1.FQDN:25 weight 10 check
server server2 server2.FQDN:25 weight 10 check
server server3 server3.FQDN:25 weight 10 check

We are able to connect to the above servers with TLS1.2 using OpenSSL, so not sure why the backend servers go down everytime we add that notlsv11 option.
Do we need to match add ssl-default-server-options to match the bind options?

to add we currently have no ssl-default-server-options settings in the haproxy.cfg

This doesn’t make sense. I don’t see any ssl configuration in this configuration, not in the frontend and not in the backend, also SMTP on port 25 doesn’t do implicit SSL at all.

Maybe you shared the wrong configuration?

I agree it doesnt make sense to me and I am still trying to understand TLS.

Here is the HTTP portion which also failed to start after the change.

To further complicate things, we cloned this HAPROXY VM and reconfigured the exact same way and it is working just fine with the no-tlsv11 setting so I am at a loss.

frontend ft_exchange_2016_http
bind :80 name http
bind :443 name https ssl crt /etc/ssl/private/cert.pem
mode http
option http-keep-alive
no option httpclose
no option http-server-close
no option forceclose
option contstats
option dontlognull
log global
option httplog
timeout client 25s
timeout http-request 15s
maxconn 10000
#http-request redirect scheme https code 302 unless ssl_connection
default_backend bk_exchange_2016_http

backend bk_exchange_2016_http
balance source
hash-type consistent
mode http
option http-keep-alive
no option httpclose
no option http-server-close
no option forceclose
log global
option httplog
option forwardfor
option redispatch
retries 3
timeout server 25s
timeout connect 15s
timeout queue 30s
default-server inter 3s rise 2 fall 3
maxconn 10000
server server1 server1.phx.dsfcu.local:443 maxconn 5000 weight 10 ssl check verify none
server server2 server2.phx.dsfcu.local:443 maxconn 5000 weight 10 ssl check verify none
server server3 server3.phx.dsfcu.local:443 maxconn 5000 weight 10 ssl check verify none

would the bind at the frontend itself have to explicitly have the SSL setting in order for the SSL options to apply?

You’d have to explain your entire setup, share the entire configurations and the output of haproxy -vv, as well as explaining exactly which part of your setup detects the Layer 4 timeout.