Hi I have installed openssl 1.1.1 and then installed haproxy2.0.4. All looks good from haproxy side
with haproxy -vv showing
oot@aasfproxy1wlg:/etc/haproxy# haproxy -vv
HA-Proxy version 2.0.4 2019/08/06 - https://haproxy.org/
Built with multi-threading support (MAX_THREADS=64, default=8).
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Hapoxy.cfg ssl options are
ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

SSL is being offloaded at haproxy but the website still reports tls1.2
Any help would be appreciated. Thanks.

Elaborate what that means. You are seeing that in a browser? You are seeing that in sslabs reports? Exactly how do you come to the conclusion that only TLSv1.2 is available.

This is wrong, but it won’t impact TLSv1.3.

There are no ciphers beginning with TLS13, this is an obsolete representation from the 1.1.1 development which was never in any released version of openssl.

Also, the API for TLS 1.3 ciphers is differnet and must be configured with ssl-default-bind-ciphersuites as opposed to ssl-default-bind-ciphers.

But like I said, OpenSSL will just use the standard set of ciphersuites for TLS 1.3 in this case.

edit: Please make sure you use the latest bugfix release of OpenSSL 1.1.1. Currently that is 1.1.1c

Thanks for the reply lukastribus . I got the ssl-default-bind-ciphers from some website so i I will change that.
Got the version of tls the site is running from chrome developer tools, after ensuring my chrome version supports 1.3. visited known site and shows 1.3 ok.
Running “openssl version -a” is not showing the build . It just shows 1.1.1. (see below) so will look for the 1.1.1c source update.
root@aasfproxy1wlg:~# openssl version -a
OpenSSL 1.1.1 11 Sep 2018
built on: Sun Aug 11 22:28:42 2019 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: “/usr/local/ssl”
ENGINESDIR: “/usr/local/lib/engines-1.1”
Seeding source: os-specific

That assumption may not be true. If you use an older Chrome version, the final TLS 1.3 version won’t be implemented, instead you may be running a draft version, which a CDN like Cloudflare supports, but OpenSSL doesn’t.

So please specify which exact Chrome release on what exact OS you are running, because it is important.

Next step, provide the output of the following commands:

openssl version
openssl s_client -connect <haproxyIP:port>

Also please provide the entire configuration as well as elaborate how openssl and haproxy was build.

First the commands:-
openssl version
OpenSSL 1.1.1 11 Sep 2018
###############################################
openssl s_client -connect 122.252.184.116:443
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:C = NZ, ST = Wellington, L = Wellington Central, O = Paystation Limited, CN = *.loyaltysystems.co.nz
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA

Server certificate
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
subject=C = NZ, ST = Wellington, L = Wellington Central, O = xxxxxxxxxx, CN = xxxxxxxxxxxxxxxxxxx

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA

No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 4528 bytes and written 443 bytes
Verification error: self signed certificate in certificate chain

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B7A1E15A5ACA48338F2BF6A064D1675AA731E8BAE9389A45837717940A02A57
Session-ID-ctx:
Master-Key: 00C960BC3A3B32700028CFEC35B897E8C82287F7EDB07416432CE9D5B1B6ED98367216D7F6C3BA8EFF975C016BEA12C3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f9 c7 ed 87 98 ae 98 11-fb 12 29 86 d2 76 c5 43 …)…v.C
0010 - 61 2f fe b9 84 fc ef ca-53 d5 de ea 6d 0d 47 a5 a/…S…m.G.
0020 - 0e 99 9a d7 65 13 22 4a-19 7b 36 c5 bc cf 76 1b …e."J.{6…v.
0030 - 69 f4 7c 4c cc 5e 40 0f-ae 4f fd f2 3f 7b 07 34 i.|L.^@…O…?{.4
0040 - 87 f8 09 07 bd 4c f6 c1-ff a9 f4 f1 23 85 a6 d9 …L…#…
0050 - d9 1c 28 62 38 d0 47 7f-a2 ed 3f a5 0e 6a 23 c2 …(b8.G…?..j#.
0060 - 23 fa d7 93 70 23 f7 df-f1 05 be 88 67 e8 eb 70 #…p#…g…p
0070 - bb 95 14 c9 f8 09 b5 86-6b 72 80 a7 e6 e9 64 f2 …kr…d.
0080 - 25 65 e8 b0 8e 4c 1c 46-62 8a 0a 35 0a c1 b9 e0 %e…L.Fb…5…
0090 - 94 89 c2 14 59 d0 ee ef-ff ee db 53 8e 62 98 47 …Y…S.b.G
00a0 - d0 14 04 93 24 07 00 67-98 7a ea b2 00 28 04 47 …$…g.z…(.G

Start Time: 1565647983
Timeout   : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no

JUST NOTICED :-- self signed CRT in chain, dont know where that came from!!!

Next my config :-
global
log /dev/log local0
log /dev/log local1 notice
log 127.0.0.1:514 local0 debug
#stats socket /run/haproxy/admin.sock mode 660 level debug
#stats timeout 30s

    #ssl-default-bind-options no-sslv3
    chroot /var/lib/haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    #ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param  2048
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

defaults
log global
mode http
option httplog
option http-server-close
option dontlognull
option forwardfor
cookie SRVNAME insert
stats enable
stats refresh 30s
stats show-node
stats auth admin:password123
stats uri /haproxy?stats
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend front_end
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/##########.pem

stats uri /haproxy?stats
stats refresh 30s
stats show-node
stats auth admin:password123

acl xxxxxx hdr(host) -i xxxxxxxxx
use_backend xxxxxxx if xxxxxxxx
default_backend http_back

backend xxxxxxxxxxx
stats uri /haproxy?stats
server server1 172.16.40.183:80 check cookie 01
server server2 172.16.40.184:80 check cookie 02

backend http_back
server server1 172.16.40.183:80 check
server server2 172.16.40.184:80 check
#############################
Note I had to sanitize some stuff sorry.

My chrome version :- I can browse to tls sites and get the dev tools showing tls 1.3 but my site shows tls 1.2 with this browser. Site is internal at the moment so cant use web ssl tools.
Google Chrome is up to date

Version 76.0.3809.100 (Official Build) (64-bit)

I have updated openssl to version 1.1.1c now but no change in result.

You probably have the root CA in the chain, which is useless and redundant. You also have that on your live, Internet facing site.

I see that not even openssl connects to haproxy in TLS v1.3, so this is definitely a local issue (unrelated to Chrome, etc).

At this point I’m not sure what is happening. Can you please explain what the base OS is and how you updated OpenSSL and Haproxy?

I assume both executable or at least haproxy may be pointing to a older openssl release.

Hi, Thanks for your patience,
OS is Ubuntu 16.04.6 LTS
Openssl was installed from source from the open ssl site. ( I have recomplied it to 1.1.1c since install)
This was installed before haproxy. I then added haproxy repo from
add-apt-repository ppa:vbernat/haproxy-2.0
then just a normal apt-get install.

Openssl was updated after the install so haproxy -vv now reflects that it was built with 1.1.1 but is running on 1.1.1c
Built with multi-threading support (MAX_THREADS=64, default=8).
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

lukastribus, I am just doing an haproxy rebuild from source pointing directly against openssl 1.1.1c
useing instructions from here:- https://dnsprivacy.org/wiki/display/DP/Building+HAProxy+so+that+it+can+use+TLSv1.3

Hi Started from scratch rebuild with specs below but still same error.
I put an host in the haproxy server to point back to itself and ran
openssl s_client -connect mysite.co.nz:443
Still shows only tls1.2…

Server OS Ubuntu 16.04.6 LTS
openssl 1.1.1c
Haproxy HA-Proxy version 1.8.8 2018/04/19
Copyright 2000-2018 Willy Tarreau willy@haproxy.org
Build options :
TARGET = linux-glibc
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-unused-label
OPTIONS = USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 USE_PCRE2=1 USE_PCRE2_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with PCRE2 version : 10.21 2016-01-12
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 2 (2 usable), will use poll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
note:-

USED 1.8 AS I HAD SEEN POSTS WITH TLS 1.3 WORKING.####

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

############################################################################
haproxy.cfg.

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend front_end
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/#############.pem
stats uri /haproxy?stats
acl ######## hdr(host) -i #############.co.nz
use_backend ######## if #######
default_backend service

backend service

redirect scheme https if ! { ssl_fc }

server server01 172.16.40.183:80 check
server server02 172.16.40.184:80 check

I don’t think haproxy accesses the 1.1.1 lib at all.

Please provide the output of the following commands (and put it into code blocks by selecting the text and hitting </> )

which openssl
ldd /usr/bin/openssl
ldd /usr/local/bin/openssl
ldd /opt/openssl-1.1.1/bin/openssl
ldd <whatever which openssl pointed to, if not covered by the above paths>

which haproxy
ldd haproxy
LD_LIBRARY_PATH=/opt/openssl-1.1.1/lib/ ldd haproxy

I don’t think that this a good strategy at all. You should’ve followed the advice in INSTALL instead.

Did you follow the instructions from this post exactly? Did you modify the systemd unit file with the environment variable change, and used the same exact paths everywhere?

Also, confirm that your openssl build actually connects with TLS 1.3 to a third party site, like:

openssl s_client -connect www.cloudflare.com:443

. root@aasfproxy1wlg:/etc/haproxy# which openssl
/usr/local/bin/openssl
root@aasfproxy1wlg:/etc/haproxy# ldd /usr/local/bin/openssl
linux-vdso.so.1 => (0x00007ffc4ad23000)
libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x00007f7862617000)
libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x00007f7862122000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7861f05000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7861b3b000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f7861937000)
/lib64/ld-linux-x86-64.so.2 (0x00007f78628ab000)
root@aasfproxy1wlg:/etc/haproxy#
root@aasfproxy1wlg:/etc/haproxy# which haproxy
/usr/local/sbin/haproxy
root@aasfproxy1wlg:/etc/haproxy# ldd /usr/local/sbin/haproxy
linux-vdso.so.1 => (0x00007fff7ed50000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa9964ff000)
libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x00007fa99626b000)
libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x00007fa995d76000)
libpcre2-8.so.0 => /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fa995afd000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa995733000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa995516000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa995312000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa996719000)
root@aasfproxy1wlg:/etc/haproxy#

Hi Lukas, Im afraid I abandoned the instructions above as I ran in to a few errors. I already had openssl1.1.1c installed, so I got the ppa haproxy 1.8 repo and did a apt-get install. shows as built and running on openssl1.1.1c and support for tls1.3 so is looking better than my last build (even though I down graded from Haproxy v2.0) . Sorry didnt get the abandonment on the page before you replied. Was still working on it.

root@aasfproxy1wlg:/etc/haproxy# openssl s_client -connect www.cloudflare.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert ECC Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 4710875, C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 4710875, C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert ECC Extended Validation Server CA
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert ECC Extended Validation Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
subject=businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 4710875, C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert ECC Extended Validation Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2870 bytes and written 400 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)

I just ran a ssl labs test against the server ans saw SSL handshake failures in the haproxy log. That point to a cipher config error?

Forget that google says thats normal!
also did this you asked for earlier,
root@aasfproxy1wlg:/# LD_LIBRARY_PATH=/usr/bin/openssl/lib ldd /usr/local/sbin/haproxy
linux-vdso.so.1 => (0x00007ffd3fbee000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fb63d3ba000)
libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x00007fb63d126000)
libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x00007fb63cc31000)
libpcre2-8.so.0 => /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fb63c9b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb63c5ee000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb63c3d1000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb63c1cd000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb63d5d4000)
I dont understand it so hope I have done it right.

Everything looks right here, so it must be something else, maybe this is something simpler.

Let’s check the systemd unit:

systemctl status haproxy

root@aasfproxy1wlg:~# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-08-13 09:20:55 UTC; 11h ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 1326 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
Main PID: 1330 (haproxy)
Tasks: 9
Memory: 8.2M
CPU: 15.313s
CGroup: /system.slice/haproxy.service
├─1330 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
└─1332 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock

Aug 13 09:20:55 aasfproxy1wlg systemd[1]: Stopped HAProxy Load Balancer.
Aug 13 09:20:55 aasfproxy1wlg systemd[1]: Starting HAProxy Load Balancer…
Aug 13 09:20:55 aasfproxy1wlg haproxy[1330]: Proxy front_end started.
Aug 13 09:20:55 aasfproxy1wlg haproxy[1330]: Proxy front_end started.
Aug 13 09:20:55 aasfproxy1wlg haproxy[1330]: Proxy bpservice started.
Aug 13 09:20:55 aasfproxy1wlg haproxy[1330]: [NOTICE] 224/092055 (1330) : New worker #1 (1332) forked
Aug 13 09:20:55 aasfproxy1wlg systemd[1]: Started HAProxy Load Balancer.
Aug 13 09:20:55 aasfproxy1wlg haproxy[1330]: Proxy bpservice started.
root@aasfproxy1wlg:~#

Ok, so you have 2 different haproxy executables on your box, and we kept looking at the wrong one.

Please provide the following outputs:

/usr/sbin/haproxy -vv
ldd /usr/sbin/haproxy