What is the name of the domain?
api2 < dot > my own account.net
What is the issue you’re encountering
Client connections stop when using Minimum TLS 1.2
What steps have you taken to resolve the issue?
Our 4 corporate customers use our API which is fronted by HaProxy. I know one of them has a Fortinet and 2 others are on AWS. The 4th one was installed this year on a recent VM.
HaProxy has a valid Let’sEncrypt certificate and is configured to only accept TLS 1.2 and TLS 1.3. When using “openssl s_client -connect” from my PC, it reports among other things:
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
SSL handshake has read 2992 bytes and written 303 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
…etc…
Cloudflare is configured with “Minimum TLS 1.0” and “Full Encryption” mode, and I also can see successfull client log connections happening on HaProxy using TLSv1.3 TLS_AES_256_GCM_SHA384.
Now I am trying to set “Minimum TLS 1.2” on Cloudflare but as soon as I do so, all connections stops, this until I put “TLS 1.0” back. From my PC it works fine tbough.
I don`t even see the typical “SSL handshake failure” messages in the log, nothing is being logged.
I also have asked one client to test “openssl s_client -connect :443 -tls1_2” from their VM and I am waiting on their output.
Any suggestions on how to debug this further ? Does that ring any bell ? I am far from being an expert with these, so any hint will be appreciated.
Thanks a bunch !