Compile Haproxy with a Different Version of Openssl

I am working to replace all the CentOS 7 servers and upgrade to Oracle 9 where possible. One snag is that the openssl library that ships with 9 (3.0.7) does not support any TLS version below 1.2. Unfortunately there are a few legacy systems that cannot use TLSv1.2 and Development refuses to update so I hope I can link haproxy to an older version of libssl. If not I can will fall back to OL8.

I am trying to do this this with haproxy v2.8.3

I loaded the compatibility package compat-openssl11 (1.1.1k) and tried compiling with the command:

make clean
make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1 USE_LUA=1 USE_SYSTEMD=1 SSL_LIB=/usr/lib64/libssl.so.1.1

However, ldd still shows it linking to libssl3

ldd haproxy |grep -E "(libssl|crypto)"

libssl.so.3 => /lib64/libssl.so.3 (0x00007f4d95522000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f4d950f1000)

Obviously I am doing something wrong but I don’t know what.

Suggestions?

Unless you are a packaging expert, do not recompile haproxy with a custom openssl build.

You will create a never ending stream of issues for you and your successors, including security issues when there is something urgent to patch.

I’d challenge this claim. It is true that openssl deprecated more things in the default security level, which requires making additional configurations if you want TLSv1.0 and 1.1 in openssl 3.0.

Reset the SECLEVEL to 0 if you want to override those openssl defaults, also see:

That would also be an acceptable solution as well.

Recompiling on your own, well, in that case you really are on your own.

OK. I tried that and it seems to work. For future reference these are the relevant settings I settled on:

  ssl-default-bind-options ssl-min-ver TLSv1.0

  ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:@SECLEVEL=0

I verified the connectivity using openssl s_client.

Thank you for your help.

1 Like