ALPN, server did not agree to a protocol - TLS alert, Client hello (1)


#1

Hello everyone,

I am getting following error when I am trying to send a query that passes through our haproxy!

  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:

    < Connection: close
    <
  • Closing connection 1
  • TLSv1.2 (OUT), TLS alert, Client hello (1):

My request and its output are as foolowings:

curl -vvv POST https://api-test.terster.com/retailers/v4/orders/create -H ‘api-key: AIzaSyBGEpZdLHIuylgJKJGLKdfsgRjSdKu6ZctiuyI’ -H ‘content-type: application/json’ -d ‘{
“marketing_carrier”: “XXX”,
“departure_station”: “XXX”,
“arrival_station”: “XXX”,
“departure_time”: “2018-09-15T13:00”,
“arrival_time”: “2018-09-15T22:15”,
“retailer_partner_number”: “123456”,
“title”: “mr”,
“first_name”: “XXX”,
“last_name”: “XXX”,
“email”: "XXX@mail.com",
“phone”: “40505051150”,
“city”: “London”,
“zip_code”: “10123”,
“street_and_number”: “XXX. 23”,
“execute_payment”: false,
“payment_method”: “demand_note”,
“total_price”: 2900,
“pax”: 1,
“terms_accepted”: true,
“locale”: “en”,
“currency”: “EUR”,
“send_customer_email”: false,
“passengers”:[
{
“first_name”: “XXX”,
“last_name”: “XXX”,
“type”: “PADX”
}
]
}’

  • Rebuilt URL to: POST/
  • Could not resolve host: POST
  • Closing connection 0
    curl: (6) Could not resolve host: POST
  • Trying 16.16.15.19…
  • TCP_NODELAY set
  • Connected to api-test.terster.com (16.16.15.19) port 443 (#1)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
    CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: OU=Domain Control Validated; CN=*.terster.com
  • start date: Feb 27 11:23:01 2018 GMT
  • expire date: Jan 22 13:24:05 2019 GMT
  • subjectAltName: host “api-test.terster.com” matched cert’s “*.terster.com”
  • issuer: C=US; ST=Arizona; L=Scottsdale; O=Starfield Technologies, Inc.; OU=http://certs.starfieldtech.com/repository/; CN=Starfield Secure Certificate Authority - G2
  • SSL certificate verify ok.

POST /retailers/v4/orders/create HTTP/1.1
Host: api-test.terster.com
User-Agent: curl/7.59.0
Accept: /
api-key: AIzaSyBGEpZdxbufTSpcIxWXoRjSdKu6ZctiuyI
content-type: application/json
Content-Length: 897

  • upload completely sent off: 897 out of 897 bytes
    < HTTP/1.1 308 Permanent Redirect
    < Content-length: 0
    < Location: https://api-test.terster.com/orders/create
    < Connection: close
    <
  • Closing connection 1
  • TLSv1.2 (OUT), TLS alert, Client hello (1):

My haproxy config for this redirection part is as following:

 http-request set-var(req.scheme) str(https) if { ssl_fc }
 http-request set-var(req.scheme) str(http)  if !{ ssl_fc }
 http-request redirect code 308 location %[var(req.scheme)]://%[hdr(host)]%[url,regsub(^/retailers/v4/orders,/orders,)] if { path_beg /retailers/v4/orders }

Btw, my query works successfully on https://api-test.terster.com/orders/create but not on this one https://api-test.terster.com/retailers/v4/orders/create and I want to make it work on the second one.

I do appreciate any help or suggestion for fixing this issue.


#2

That’s not an error, and has absolutely nothing todo with any application problems you may be facing.

curl -vvv POST https://api-test.terster.com/retailers/v4/orders/create

Thats not a valid curl command. You’d have to specify -X POST instead, check your error message from curl:

Rebuilt URL to: POST/
Could not resolve host: POST
Closing connection 0
curl: (6) Could not resolve host: POST

Looks like haproxy is doing everything you expect haproxy todo. Maybe your backend application doesn’t like that URI?

You’d have to check what actually happens in the failure scenario. Also use the -L flag in curl to make it actually follow redirects.

If you want to post more outputs, please use the preformatted text feature in this forum. TTY output is hardly readable otherwise (quoting doesn’t change anything).


#3

Thank you for your clear response and recommendations @lukastribus.
Following redirection showed that it works fine.
Thanks again.