Enable TLS 1.0 & TLS 1.1 in haproxy 2.4

Hello,

currently i use haproxy 2.4 18 on Ubuntu 22.04 and openssl 3.0.2

For an internal application we use a haproxy cluster as failoversystem. i try to reenable TLS 1.0 & TLS 1.1 in haproxy. I know this is generally a bad idea, because every modern application should be able to talk TLS 1.2 & TLS 1.3, but we have a specific financial application in inttranet which is doing a run through haproxy and now is not able to make ssl handshake anymore.

I tried to reenable TLS 1.0 & TLS 1.1 with usual configuration options like ssl-min-ver or even force-tlsv10, but nothing works. TLS 1.0 & TLS 1.1 are not offered in ssl handshake.

I read some posts that with openssl 3.0.1 TLS1.0 & TLS 1.1 were moved to different SECLEVEL, but every change i do in my haproxy.cfg has no effect.

haproxy tells that config file is valid and also it tells that “OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3” is available, but it has no practical effect.

Is there anybody who has a working configuration to reeneble TLS 1.0 & TLS 1.1 or some other hints to solve my problem?

Thanks,
Hans

To convince openssl 3.0 to allow TLSv1.0 additional steps are required.

You can append :@SECLEVEL=0 to ssl-default-bind-ciphers or manually edit your openssl.cnf to lower the SECLEVEL to 0.

Hello,

thank you, this is working. I think i tricked my self. I had this kind of configuration already tested, but my test was using “openssl s_client”, which was not working with tls 1.0 and 1.1. But i think this was based on openssl Configuration itself. I used an other ssl-analyzer and this shows tls1.0 and 1.1 again.

Thank you,
Hans

Correct, the openssl ssl client has the same exact problem.