Haproxy 2.0.0 with self signed cert Mysql handshake failure

reziel84 · November 12, 2020, 12:45pm

Hi there
I have a big issue regarding connection Haproxy to mysql throught ssl with mysql self signed cert.
Below my cfg
global
log 127.0.0.1 local0
user haproxy
group haproxy
maxconn 10000
stats socket ipv4@127.0.0.1:9997 level admin
stats socket /var/run/haproxy.sock mode 666 level admin
stats timeout 2m
ssl-server-verify none
tune.ssl.default-dh-param 2028
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256

defaults
log global
retries 2
timeout connect 5000
timeout server 50000
timeout client 50000

listen stats
bla bla bla for webif…

listen Databases_QA
bind :3307 ssl crt /etc/haproxy/cert-qa/full-client.pem
mode tcp
option ssl-hello-chk
option mysql-check user haproxy
balance roundrobin
server DBQ01 10.x.x.1:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verifycheck maxconn 2000 inter 4000
server DBQ02 10.x.x.2:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verify none check maxconn 2000 backup inter 4000

Each time same error: “SSL Handshake failure” or “SSL Handshake failer (Broken Pipe)”

full-client.pem is a cut/paste of mysql self signed cert client-key.pem client-cert.pem, this is wrong?
under mysql folder i have a lot of files, which of this i need to use?

ca-key.pem
ca.pem
client-cert.pem
client-key.pem
private_key.pem
public_key.pem
server-cert.pem
server-key.pem

Please could you help me?

IgorC · November 18, 2020, 8:16am

The verify here means haproxy needs to verify the certificate presented by the MySQL server and since that cert is self signed it can not do so. Either point haproxy to the CA of the self signed cert (or the cert itself) or try with verify none .

reziel84 · November 18, 2020, 2:17pm

hi Igor and thanks for your help…please forget this line
server DBQ01 10.x.x.1:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verifycheck maxconn 2000 inter 4000
because i comment it like this
#server DBQ01 10.x.x.1:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verifycheck maxconn 2000 inter 4000
but i have the same error, problem is on DBQ02

IgorC · November 18, 2020, 11:31pm

As per usual you start by manually verifying that your cert will work, use openssl lets say to do that to connect from haproxy server to the mysql service.

Also you are not clear about the error. Where do you see that error, on the client side or haproxy? If you see it on the client side (the client talking to haproxy) that is also expected since the client would need to have the self signed certificate itself in order to verify it (you are using the same cert as haproxy certificate too):

bind :3307 ssl crt /etc/haproxy/cert-qa/full-client.pem

That’s the thing when working with self signed certificates, you need to distribute the self signed cert to every client connecting.

Steffen · January 13, 2021, 8:17am

Hey folks,
I want to renew this topic.
I standing at the same point where I wold like to enable haproxy health checks to check a mysql server with require_secure_connection = ‘ON’.
This means the backend server only allows encrypted connections.
When configuring the health check like this:

listen mysql-ssl
  bind 127.0.0.10:12739
  mode tcp
  option tcplog
  option mysql-check user haproxy
  
  server 172.16.169.65:2739 172.16.169.65:2739 check
  server 172.16.169.66:2739 172.16.169.66:2739 check

then it works for require_secure_connection = ‘OFF’
but no more with require_secure_connection = ‘ON’

When changing the haproxy config to

listen mysql-ssl
  bind 127.0.0.10:12739
  mode tcp
  option tcplog
  option mysql-check user haproxy
  
  server 172.16.169.65:2739 172.16.169.65:2739 check check-ssl ssl verify none
  server 172.16.169.66:2739 172.16.169.66:2739 check

(having the “check-ssl ssl verify none” added)
then the check does not work any more and I get this error:

2021-01-13T08:09:46+00:00 haproxy[14673]: Server mysql-ssl/172.16.169.65:2739 is DOWN, reason: Socket error, info: "SSL handshake failure", check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
2021-01-13T08:09:46.952353+00:00 haproxy[943]: [WARNING] 012/080946 (14673) : Server mysql-ssl/172.16.169.65:2739 is DOWN, reason: Socket error, info: "SSL handshake failure", check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

The server cert is valid, but this is not the problem at all … (since I also added the “ssl verify none”)
For me it looks, that the ssl enforced check of haproxy cannot do the SSL handshake with mysql …

Any hints, what might be wrong configured or what I could do to make the ssl enabled check against the mysql backend servers working?

Thanks in advance …
Steffen

lukastribus · January 14, 2021, 8:09pm

This is not supported, it never was.

Mysql negotiates SSL, it’s not like it’s entirely wrapped in SSL like HTTPS (the difference is implicit vs explicit SSL just like with SMTP and IMAP and so on).

Therefor, you can’t do this. If you must enable require_secure_connection I suggest to downgrade to a layer 4 check.

reziel84 · January 15, 2021, 8:49am

after a lot of time spent on this task i suppose YES, it’s not supported.
thanks a lot for your reply

Topic		Replies	Views
Troubleshooting SSL Handshake Failure (backend) Help!	4	1022	December 11, 2022
CRITICAL - HAProxy SSL Handshake failure issue Help!	2	2710	May 3, 2023
Haproxy 1.8.8 SSL handshake failure Help!	0	2028	July 18, 2018
Haproxy 2.8 uses self signed certificate - where does it take it from? Help!	6	336	November 9, 2023
Haproxy w/ssl 'SSL handshake failure' Help!	3	7050	February 10, 2023

Haproxy 2.0.0 with self signed cert Mysql handshake failure

Related Topics