CRITICAL - HAProxy SSL Handshake failure issue

Hi Team,

Good Day!

  • Configured HAProxy to proxy the request to the backend server
  1. Configured to listen at HTTP and HTTPS ports respectively (80 and 443 ports respectively)
  2. Configured the SSL certificate for HAProxy as per the official HAProxy documentation (Create a Pem file by Concatenate key, Certificate and bundle)
  3. It is keep on throwing SSL error {SSL Handshake Failure}

HAProxy Configuration file:

log /dev/log local0 debug
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
tune.ssl.capture-cipherlist-size 800

Default SSL material locations

ca-base /etc/apache2/ssl
crt-base /etc/apache2/ssl

See: Mozilla SSL Configuration Generator

   # ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-               SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA               256:DHE-RSA-AES256-GCM-SHA384
    #ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    #ssl-default-bind-options no-sslv3 no-tlsv10
    #ssl-default-server-options no-sslv3 no-tlsv10

log global
listen stats
bind *:1936
mode http
log global
timeout queue 100s
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth admin:password
stats uri /haproxy?stats

    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend apache2.service
bind *:80
bind *:443 ssl crt /etc/apache2/ssl/test18-04.pem ssl-max-ver TLSv1.2 ciphers AES256-SHA:ECDHE-ECDSA -AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128 -GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA

         http-request redirect scheme https unless { ssl_fc }
         default_backend abcservices
         log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq  %sslv %sslc %[ssl_f               c_cipherlist_str]"

backend abcservices
balance roundrobin
# option httpchk GET /healthcheck
# server abc.service check
server abc.service
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq

  1. Could you please provide me with the possibilities for the SSL Handshake failure.
  2. How to overcome and correct the SSL handshake failure with the above configuration

I found in Internet that SSL handshake may happen due to the below scenarios

  • Protocol Mismatch -Tested all the TLS version(TLS 1.0,TLS 1.1,TLS 1.2,TLS 1.3) still facing SSL handshake failure
  • Cipher Suite Mismatch Tested with the existing working Cipher suite in the HAProxy configuration still SSL Handshake failure
    Not sure with the cipher suite. which suite will work for the above configuration?
  • Incorrect Certificate
    Checked with SSL checker passed it.

—> Outputs of the below related commands:

curl -v --tls-max 1.2
It says connected
SSL verification Successful
HTTP/1.1 200 ok message
Error Message:

ALPN, server did not agree to a protocol

—> Certificate verification using openssl throwing

SSL handshake has read 6832 bytes and written 667 bytes
Verification error: self signed certificate in certificate chain

  • We are not using self-signed certificates anywhere instead we are using Go Daddy certificates in our server.

Can you please help us on the below areas:

  • How can we handle this error message?
  • Solution for the SSL handshake failure
  • Cipher suite suggestions
  • What are the further areas we can test.
    -Suggestions/solutions to handle this error

which client gives that error? could it be that your cllient don’t know the go daddy root cert?

Thanks for the reply @Markus

Client in the sense we have an IOT device and Mobile apps,

You meant to say that those two needs to be aware of the Certificates…? @Markus!