Yes, it is a certificate error: a very stupid one. I've used the wrong CA cert - from a different hierarchy. I'm sorry for the hassle. Nevertheless thanks for your support. Carsten -----Ursprüngliche Nachricht----- Von: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] Im Auftrag von Jakob Bohm via openssl-users Gesendet: Freitag, 25. Januar 2019 02:17 An: openssl-users@xxxxxxxxxxx Betreff: Re: decrypt error Since this seems to be a certificate issue, would it be possible to make the server log all the certificate checking steps and errors with the failing certificates. One obvious test would be to try connecting to the "openssl s_server" utility with a similar configuration and lots of debug options. Another would be to install all the debug symbols and running haproxy under a debugger with strategically set breakpoints to look at the execution stack when errors are reported or validation occurs. On 24/01/2019 16:55, Scharfenberg, Carsten wrote: > Yes, it works if I deactivate client auth. > Concerning the cipher: I use one specific cipher on server and on client side. This is the only cipher supported by the actual hardware client. > Concerning the sigalg: I've had big trouble with this because due to bug in the client I need to restrict the sigalgs offered by the server. This is not possible with haproxy. But it is possible with openssl.cnf since version 1.1.1. This is why I've installed haproxy and openssl from Debian testing. > So I'm very confident about the cipher suite and the signature algorithm. > > I've just created a new certificate hierarchy. Et voila: it works. > So obviously this issue is certificate-related. > Still I have to figure out what is wrong with the old certificates because I cannot replace them in the productive environment. > My next step will be to create new hierarchy again that matches the original hierarchy as close as possible (including constraints and extensions). > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users