Windows XP IE 8 error ssl


#1
I have a ssl certificate by comodo (onlñy one site in haproxy) . I have  a problem with ie8 and Windows XP (i know the EOL of this but some computers in the company still uses) . i get http/2: SSL handshake failure in my logs. Any clue?
 My conf.
global

tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    ssl-default-server-options no-sslv3 no-tls-tickets

frontend http
    bind :80
    bind :443 ssl crt /etc/ssl/private/certificados.pem
    mode http
      option httplog
    log-format [%sslc]\ [%sslv]\ %ci:%cp\ [id=%ID]\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%hrl}\ {%hsl}\ %{+Q}r

#    redirect scheme https code 301 if { hdr_end(host) -i www.xxx.com } !{ ssl_fc }
    acl host_www hdr(host) -i  www.xxx.com
     use_backend  www.xxx.com if host_www
default_backend www.xxx.com
  http-response set-header Strict-Transport-Security max-age=15768000

backend  www.xxx.com
    mode http
    balance leastconn
    cookie SERVERID insert indirect nocache
    server sweb7002x 10.7.18.182:80 check cookie sweb7002


root@shap7101lx:/etc/ssl# haproxy -v
HA-Proxy version 1.7.3-1~bpo8+1 2017/03/02
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

#2

You already allow DES-CBC3-SHA in your cipher suite, including TLSv1.0; so you should be good.

I assume you have a SHA2 cert, and did not upgrade to WinXP SP3, which allows SHA2 certificates.
Do upgrade to ServicePack 3, which allows SHA2 certificates.

Ain’t no way around SP3 on WinXP these days, trust me.


#3

The XP has sp3, if I put that certificate on apache it works good. But not
in haproxy.

Thanks for your response.

Alejandro


#4

Is the intermediate certificate correctly installed in haproxy?

Double check that the intermediate certificate is there and served, you can check with ssltest at:
https://www.ssllabs.com/ssltest/

What is the exact error message in IE8 anyway?


#5

The page cannot be displayed… With the error in ssl handshake on the
haproxy.

I put the certificate the intermediate and the the private key All in the
same file.
It works with old Firefox 2 and 3 versions with Windows XP, even with
chrome in XP… But not luck with Explorer.
.


#6

Are you sure there are no strange settings in Internet Explorer? Confirm that TLS is enabled in the advanced settings.

Can you tell us the domain, so we can check it out?
Or at least run it yourself through ssltest as mentioned earlier, and check for certificate issue and IE8onXP compatibility?


#7

It works on debian 7 with haproxy 1.5 with debian 7, But not in haproxy
1.7 with debian 8. openssl version in debian?

put in your host

149.56.15.63 www.bancocredicoop.coop

then in ie8
https://www.bancocredicoop.coop:8443

       Alejandro Perretta

#8

Ok, can you provide the output of:
haproxy -vv

from your working debian 7, and non-working debian 8 installation?

Both debian 7 and debian 8 use openssl 1.0.1, this is supposed to work fine.

But I can see that it doesn’t work, when simulating IE8 via curl (forcing TLSv1.0 with DES-CBC3-SHA), so there most be some kind of build issue (and I see you are using a backport build, so I wanna know what the haproxy -vv output looks like exactly).

curl -vvI --resolve www.bancocredicoop.coop:8443:149.56.15.63 https://www.bancocredicoop.coop:8443 --tlsv1.0 -k --ciphers “DES-CBC3-SHA”

  • Added www.bancocredicoop.coop:8443:149.56.15.63 to DNS cache
  • Rebuilt URL to: https://www.bancocredicoop.coop:8443/
  • Hostname www.bancocredicoop.coop was found in DNS cache
  • Trying 149.56.15.63…
  • Connected to www.bancocredicoop.coop (149.56.15.63) port 8443 (#0)
  • Cipher selection: DES-CBC3-SHA
  • TLSv1.0 (OUT), TLS Unknown, Certificate Status (22):
  • TLSv1.0 (OUT), TLS handshake, Client hello (1):
  • TLSv1.0 (IN), TLS Unknown, Unknown (21):
  • TLSv1.0 (IN), TLS alert, Server hello (2):
  • error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
  • Closing connection 0
    curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

#9

The problem was the openssl version.
ive downgrade the openssl and the libssl and the zlib to debian 7 in debian
8 .

*the version not working *

root@shap7101lx:~# haproxy -vv
HA-Proxy version 1.7.3-1~bpo8+1 2017/03/02


#10

You are rigth, the problem is the version of haproxy. ive upgrade the ssl
and works ok with haproxy 1.5… but not with 1.7

Working ** (repo jessie )
root@shap7101lx:~# haproxy -vv
HA-Proxy version 1.5.8 2014/10/31


#11

The problem is the mix between backported haproxy, and stock openssl.
Backport haproxy is linked against openssl1.0.2, while openssl on jessie really is 1.0.1.

The interesting part from “haproxy -vv” is the output of openssl build and running version.


#12

yes thats rigth. now im online with 1.5 without problems.

thanks for your quickly responses !

Alejandro

       Alejandro Perretta