It appears the cause was identified and fixed in the latest haproxy upstream
release, 1.5.7. From the release announcement on the haproxy mailing list:
- John Leach reported an interesting bug in the way SSL certificates were
loaded : if a certificate with an invalid subject (no parsable CN) is
loaded as the first in the list, its context will not be updated with the
bind line arguments, resulting in such a certificate to accept SSLv3
despite the "no-sslv3" keyword. That was diagnosed and fixed by Emeric.
From RH Bug list:
It appears the cause was identified and fixed in the latest haproxy upstream
release, 1.5.7. From the release announcement on the haproxy mailing list:
- John Leach reported an interesting bug in the way SSL certificates were
loaded : if a certificate with an invalid subject (no parsable CN) is
loaded as the first in the list, its context will not be updated with the
bind line arguments, resulting in such a certificate to accept SSLv3
despite the "no-sslv3" keyword. That was diagnosed and fixed by Emeric.