What are you using to cipher/decipher the SSL traffic before haproxy ? Stunnel, nginx, apache, something else ?
I suspect it might be related to the lack of "option httpclose" on your port 80, but it's not clear to me why it would cause an issue to only a few visitors.
You can increase the apache loglevel to get more information about the HAPROXY hello request.
To see what happens you could use curl and switch on verbose messages:
curl -k -v https://real-https-apache.com
Curl should inform you about the different processess including client-hello and server-hello.
Then also check apache logs
This is how such a curl request looks like:
$ curl -k -v https://graph.facebook.com
* About to connect() to graph.facebook.com port 443 (#0)
* Trying 66.220.146.100... connected
* Connected to graph.facebook.com (66.220.146.100) port 443 (#0)
* error setting certificate verify locations, continuing anyway:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
* start date: 2010-01-13 00:00:00 GMT
* expire date: 2013-04-11 23:59:59 GMT
* common name: *.facebook.com (matched)
* issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1
> Host: graph.facebook.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: private, no-cache, no-store, must-revalidate
< Expires: Sat, 01 Jan 2000 00:00:00 GMT
< Location: http://developers.facebook.com/docs/api
< Pragma: no-cache
< X-FB-Rev: 575092
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: sYq1u5Ffp1JE7p5IafErxiU6MNT6i1fXCEkn51nFxr8=
< Date: Mon, 18 Jun 2012 10:49:17 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host graph.facebook.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Best Answer
It is not supported to change the protocol other than sslv3 for ssl-hello-chk. Instead, you can use tcp-check on port 8243.