Hi Team,
Good Day!
- Configured HAProxy to proxy the request to the backend server
- Configured to listen at HTTP and HTTPS ports respectively (80 and 443 ports respectively)
- Configured the SSL certificate for HAProxy as per the official HAProxy documentation (Create a Pem file by Concatenate key, Certificate and bundle)
- It is keep on throwing SSL error {SSL Handshake Failure}
HAProxy Configuration file:
global
log /dev/log local0 debug
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.capture-cipherlist-size 800
Default SSL material locations
ca-base /etc/apache2/ssl
crt-base /etc/apache2/ssl
See: Mozilla SSL Configuration Generator
# ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM- SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA 256:DHE-RSA-AES256-GCM-SHA384
#ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options no-sslv3 no-tlsv10
#ssl-default-server-options no-sslv3 no-tlsv10
defaults
log global
listen stats
bind *:1936
mode http
log global
timeout queue 100s
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth admin:password
stats uri /haproxy?stats
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 504 /etc/haproxy/errors/504.http
frontend apache2.service
bind *:80
bind *:443 ssl crt /etc/apache2/ssl/test18-04.pem ssl-max-ver TLSv1.2 ciphers AES256-SHA:ECDHE-ECDSA -AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128 -GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA
http-request redirect scheme https unless { ssl_fc }
default_backend abcservices
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %sslv %sslc %[ssl_f c_cipherlist_str]"
backend abcservices
balance roundrobin
# option httpchk GET /healthcheck
# server abc.service 127.0.0.1:5001 check
server abc.service 127.0.0.1:5001
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
- Could you please provide me with the possibilities for the SSL Handshake failure.
- How to overcome and correct the SSL handshake failure with the above configuration
I found in Internet that SSL handshake may happen due to the below scenarios
- Protocol Mismatch -Tested all the TLS version(TLS 1.0,TLS 1.1,TLS 1.2,TLS 1.3) still facing SSL handshake failure
- Cipher Suite Mismatch Tested with the existing working Cipher suite in the HAProxy configuration still SSL Handshake failure
Not sure with the cipher suite. which suite will work for the above configuration? - Incorrect Certificate
Checked with SSL checker passed it.
—> Outputs of the below related commands:
curl -v --tls-max 1.2 https://server.com/health
It says connected
SSL verification Successful
HTTP/1.1 200 ok message
Error Message:
ALPN, server did not agree to a protocol
—> Certificate verification using openssl throwing
SSL handshake has read 6832 bytes and written 667 bytes
Verification error: self signed certificate in certificate chain
- We are not using self-signed certificates anywhere instead we are using Go Daddy certificates in our server.
Can you please help us on the below areas:
- How can we handle this error message?
- Solution for the SSL handshake failure
- Cipher suite suggestions
- What are the further areas we can test.
-Suggestions/solutions to handle this error