Cannot send TLSv1.2 through haproxy

According to the requirement I want to send APIs with TLSv1.2 (This version only) to a server through haproxy. I tried using multiple options for changing the TLS version.
In Backend

  1. server destserver ssl-min-ver TLSv1.2
  2. server destserver check ssl verify none ssl-min-ver TLSv1.2
  3. server destserver check ssl verify none no-sslv3 ciphers TLSv1.2
  4. server destserver check ssl verify none no-sslv3 ssl-min-ver TLSv1.2
    5.server destserver check ssl verify none force-tlsv12

In Global

  1. tune.ssl.default-dh-param 1024
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

These approaches did not work.
For temporary fix, the working structure for now through SNI check in backend

  1. server destserver ssl verify none check-sni <ip_without_port> sni str(<ip_without_port>) check

But still I need a correct fix to pass the APIs with appropriate TLS version

This is negotiated in the SSL handshake. You don’t have to do anything special to be able to connect to a TLSv1.2-only server.

I don’t know what either one of those statements mean exactly.

Share the entire configuration, the output of haproxy -vv and elaborate what it is that you are seeing please.


    maxconn     500000
    log local1

    log                     global
    mode                    http
    option                  httplog
    option                  dontlognull
    option http-keep-alive
    timeout http-request    <http_request_timeout> # 15s
    timeout queue           1m
    timeout connect         20s
    timeout client          <client_timeout> # 3600s
    timeout server          <server_timeout> # 3600s
    timeout http-keep-alive 14400s
    timeout check           30s
    maxconn                 500000
    errorfile 400 /etc/haproxy/errors/400.json
    errorfile 408 /etc/haproxy/errors/408.json
    errorfile 500 /etc/haproxy/errors/500.json
    errorfile 502 /etc/haproxy/errors/502.json
    errorfile 503 /etc/haproxy/errors/503.json
    errorfile 504 /etc/haproxy/errors/504.json
listen stats
  bind :1111
  mode http
  stats enable
  option http-keep-alive
  timeout connect 100s
  timeout client 1m
  timeout server 18s
  timeout http-request 18s
  timeout http-keep-alive 14400s
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /
  stats auth stats:stats
frontend http-in

    bind *:<http_in_port>
    default_backend             ebackend

    http-request capture hdr(username) len 64

    acl health_pin path_beg -i /prob
    use_backend health if health_pin

backend ebackend

    http-request set-header Host <ip>
    server dest_server <ip> ssl verify none check-sni <ip_wport> sni str(<ip_wport>) check

backend health
    mode http
    http-request set-log-level silent
    errorfile 503 etc/haproxy/errors/200.json

This is the configuration file…
Is there anyway we can force TLSv1.2 in this config file?

What you are saying does not make any sense.

I assume your backend requires SNI, so without it, it doesn’t work.