I am working to replace all the CentOS 7 servers and upgrade to Oracle 9 where possible. One snag is that the openssl library that ships with 9 (3.0.7) does not support any TLS version below 1.2. Unfortunately there are a few legacy systems that cannot use TLSv1.2 and Development refuses to update so I hope I can link haproxy to an older version of libssl. If not I can will fall back to OL8.
I am trying to do this this with haproxy v2.8.3
I loaded the compatibility package compat-openssl11 (1.1.1k) and tried compiling with the command:
make clean
make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1 USE_LUA=1 USE_SYSTEMD=1 SSL_LIB=/usr/lib64/libssl.so.1.1
However, ldd still shows it linking to libssl3
ldd haproxy |grep -E "(libssl|crypto)"
libssl.so.3 => /lib64/libssl.so.3 (0x00007f4d95522000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f4d950f1000)
Obviously I am doing something wrong but I don’t know what.
Suggestions?
Unless you are a packaging expert, do not recompile haproxy with a custom openssl build.
You will create a never ending stream of issues for you and your successors, including security issues when there is something urgent to patch.
I’d challenge this claim. It is true that openssl deprecated more things in the default security level, which requires making additional configurations if you want TLSv1.0 and 1.1 in openssl 3.0.
Reset the SECLEVEL to 0 if you want to override those openssl defaults, also see:
opened 10:38AM - 15 Feb 23 UTC
closed 12:17PM - 15 Feb 23 UTC
status: invalid
### Detailed Description of the Problem
The `ssl-default-bind-options ssl-min-v… er TLSv1.0` instruction has no effect in HAProxy 2.4.19 or more recent.
I didn't see any mention about a change regarding SSL versions support in the changelog.
I know TLS 1.0 is deprecated but this is for a setup in which we need to support very old devices.
### Expected Behavior
The `ssl-default-bind-options ssl-min-ver TLSv1.0` instruction should work like in HAProxy 2.4.18.
### Steps to Reproduce the Behavior
Use the global `ssl-default-bind-options ssl-min-ver TLSv1.0` instruction.
Verify if TLS 1.0 and 1.1 are accepted or not.
### Do you have any idea what may have caused this?
_No response_
### Do you have an idea how to solve the issue?
_No response_
### What is your configuration?
```haproxy
global
log 127.0.0.1 local0 info
chroot /etc/haproxy/
maxconn 102400
tune.ssl.cachesize 1000000
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets
resolvers docker
nameserver dns 127.0.0.11:53
defaults
log global
log /dev/log local0
log monitoring-agent local0 info
mode http
option redispatch
timeout connect 5s
timeout client 1d
timeout server 1d
default-server init-addr last,libc,none check inter 10s rise 1 resolvers docker
monitor-uri /haproxy/status
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend http
bind :80
bind :443 ssl crt /etc/haproxy/ssl/ crt /le-certificates/ alpn h2,http/1.1
..
```
### Output of `haproxy -vv`
```plain
HAProxy version 2.4.22-f8e3218 2023/02/14 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.22.html
Running on: Linux 5.15.49-linuxkit #1 SMP Tue Sep 13 07:51:46 UTC 2022 x86_64
Build options :
TARGET = linux-musl
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_PROMEX=1
DEBUG =
Feature list : -51DEGREES +ACCEPT4 -BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL +EPOLL -EVPORTS +FUTEX +GETADDRINFO -KQUEUE +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY +LUA -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PRIVATE_CACHE -PROCCTL +PROMEX -PTHREAD_PSHARED -QUIC +RT +SLZ -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=8).
Built with OpenSSL version : OpenSSL 3.0.8 7 Feb 2023
Running on OpenSSL version : OpenSSL 3.0.8 7 Feb 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.42 2022-12-11
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 12.2.1 20220924
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : prometheus-exporter
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
```
### Last Outputs and Backtraces
_No response_
### Additional Information
_No response_
That would also be an acceptable solution as well.
Recompiling on your own, well, in that case you really are on your own.
OK. I tried that and it seems to work. For future reference these are the relevant settings I settled on:
ssl-default-bind-options ssl-min-ver TLSv1.0
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:@SECLEVEL=0
I verified the connectivity using openssl s_client.
Thank you for your help.
1 Like