HAPRoxy 2.4 not blocking TLSv1.0,1.1 in TCP connections

arturrgdietrich · August 11, 2023, 9:36pm

Security Fault Testing with openssl and nmap tools the TLSv1 and 1.1 are yet enabled int the Ports TCP mode altough the sslMinVersion and sslMaxVersion 1.2 clause is applied in haproxy.cfg. Seems to work ok just with HTTP mode but not efective in TCP mode (using to proxy MS exchange ports 993,995,587,110,25). Certificates are locally in HaProxy machine. Cent OS 9. Opens SSL 3.0.7. !!! Need to block TLS 1.0 and 1.1 before redirec to the backends!!!

haproxy.cfg:

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    
    # modern configuration
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # utilize system-wide crypto-policies
    #ssl-default-bind-ciphers PROFILE=SYSTEM
    #ssl-default-server-ciphers PROFILE=SYSTEM

   

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           30s
    timeout connect         5s
    timeout client          5m
    timeout server          5m
    timeout http-keep-alive 1s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
    bind *:5000
    acl url_static       path_beg       -i /static /images /javascript /stylesheets
    acl url_static       path_end       -i .jpg .gif .png .css .js

    use_backend static          if url_static
    default_backend             app

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
    balance     roundrobin
    server      static 127.0.0.1:4331 check

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
    balance     roundrobin
    server  app1 127.0.0.1:5001 check
    server  app2 127.0.0.1:5002 check
    server  app3 127.0.0.1:5003 check
    server  app4 127.0.0.1:5004 check

frontend fe_mail
# Front-End emails --- Fara o redirect para 443
bind :80
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=63072000

mode http
maxconn 10000

# Bloqueia acesso ao Admin Center (ecp), se não for da rede interna (10.0.0.0/8)
#acl private_network src 10.0.0.0/8 192.168.0.0/16 ###XXX.XXX.XXX.XXX/24
#acl ecp_req url_beg /ecp
#http-request deny if ecp_req !private_network

redirect scheme https code 301 if !{ ssl_fc } # redireciona porta 80 -> 443
bind *:443 ssl crt _certificado_final.pem #outlook.pem #/etc/letsencrypt/live/outlook.qqrt.com.br/fullchain.pem #alpn h2,http/1.1 /etc/haproxy/proxy.pem alpn h2,http/1.1
#bind *:443 ssl crt /etc/ssl/certs/cert_aiko2.pem

acl xmail hdr(host) -i webmail.qqrt.com.br outlook.qqrt.com.br exchange.qqrt.com.br mail.qqrt.com.br autodiscover.qqrt.com.br

acl autodiscover url_beg /Autodiscover
acl autodiscover url_beg /autodiscover
acl mapi url_beg /mapi
acl rpc url_beg /rpc
acl owa url_beg /owa
acl owa url_beg /OWA
acl eas url_beg /Microsoft-Server-ActiveSync
acl eas url_beg /Microsoft-Server-activeSync
acl ecp url_beg /ecp
acl ews url_beg /EWS
acl ews url_beg /ews
acl oab url_beg /OAB
acl default_for_mail url_beg /


use_backend be_ex2019_owa if xmail owa
use_backend be_ex2019_autodiscover if xmail autodiscover
use_backend be_ex2019_mapi if xmail mapi
use_backend be_ex2019_activesync if xmail eas
use_backend be_ex2019_ews if xmail ews
use_backend be_ex2019_rpc if xmail rpc
use_backend be_ex2019_default if xmail default_for_mail


frontend fe_exchange_imaps
mode tcp
option tcplog
bind 10.2.0.146:993 name imaps
default_backend be_exchange_imaps

frontend fe_exchange_smtp
mode tcp
option tcplog
bind 10.2.0.146:25 name smtp
default_backend be_exchange_smtp

frontend fe_exchange_smtps
mode tcp
option tcplog
bind 10.2.0.146:587 name smtps
default_backend be_exchange_smtps


#frontend fe_exchange_imap
#mode tcp
#option tcplog
#bind :143 name imap
#default_backend be_exchange_imap

frontend fe_exchange_pop3
mode tcp
option tcplog
bind 10.2.0.146:110 name pop3
default_backend be_exchange_pop3

frontend fe_exchange_pop3s
mode tcp
option tcplog
bind 10.2.0.146:995 name pop3s
default_backend be_exchange_pop3s

#------------------------------------
# backend - Exchange ---------------#
#-----------------------------------

# Imaps
backend be_exchange_imaps
mode tcp
balance source
option log-health-checks
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:993 weight 10 check
server mail2 opPRDSREX02.qqrtgerais.com.br.net:993 weight 20 check
server mail3 opPRDSREX03.qqrtgerais.com.br.net:993 weight 20 check


# Imap
#backend be_exchange_imap
#mode tcp
#balance source
#option log-health-checks
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:143 weight 10 check
#server mail2 opPRDSREX02.qqrtgerais.com.br.net:143 weight 20 check



#SMTP
backend be_exchange_smtp
mode tcp
balance source
option log-health-checks
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:25 weight 20 check
server mail2 opPRDSREX02.qqrtgerais.com.br.net:25 weight 10 check
server mail3 opPRDSREX03.qqrtgerais.com.br.net:25 weight 10 check

#SMTPS
backend be_exchange_smtps
mode tcp
balance source
option log-health-checks
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:587 weight 20 check
server mail2 opPRDSREX02.qqrtgerais.com.br.net:587 weight 10 check
server mail3 opPRDSREX03.qqrtgerais.com.br.net:587 weight 10 check

#POP3
backend be_exchange_pop3
mode tcp
balance source
option log-health-checks
server mail1 opPRDSREX02.qqrtgerais.com.br.net:110 weight 20 check
server mail2 opPRDSREX03.qqrtgerais.com.br.net:110 weight 10 check

#POP3S
backend be_exchange_pop3s
mode tcp
balance source
option log-health-checks
server mail1 opPRDSREX02.qqrtgerais.com.br.net:995 weight 20 check
server mail2 opPRDSREX03.qqrtgerais.com.br.net:995 weight 10 check

#Backend - AutoDiscover
backend be_ex2019_autodiscover
mode http
# balance source
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail2 opPRDSREX02.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail3 opPRDSREX03.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt


backend be_ex2019_mapi
mode http
balance source
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail2 opPRDSREX02.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail3 opPRDSREX03.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt


backend be_ex2019_rpc
mode http
balance source
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail2 opPRDSREX02.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail3 opPRDSREX03.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt

backend be_ex2019_owa
mode http
# balance source
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail2 opPRDSREX02.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt
server mail3 opPRDSREX03.qqrtgerais.com.br.net:443 check maxconn 1000 ssl ca-file /etc/ssl/certs/ca-certificates.crt


backend be_ex2019_activesync
mode http
#balance source
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:443 check ssl verify none
server mail2 opPRDSREX02.qqrtgerais.com.br.net:443 check ssl verify none
server mail3 opPRDSREX03.qqrtgerais.com.br.net:443 check ssl verify none

backend be_ex2019_ews
mode http
balance source
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:443 check ssl verify none
server mail2 opPRDSREX02.qqrtgerais.com.br.net:443 check ssl verify none
server mail3 opPRDSREX03.qqrtgerais.com.br.net:443 check ssl verify none


backend be_ex2019_default
mode http
balance source
#server mail1 opPRDSREX01.qqrtgerais.com.br.net:443 check ssl verify none
server mail2 opPRDSREX02.qqrtgerais.com.br.net:443 check ssl verify none
server mail3 opPRDSREX03.qqrtgerais.com.br.net:443 check ssl verify none

test openssl :

---
SSL handshake has read 0 bytes and written 111 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1691785807
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 111 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1691785807
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-11 18:33 -03
Nmap scan report for 10.2.0.146
Host is up (0.000037s latency).

PORT    STATE SERVICE VERSION
110/tcp open  pop3    Microsoft Exchange 2007-2010 pop3d
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Thanks in Advance

lukastribus · August 12, 2023, 8:58am

SSL settings apply to ports where SSL is configured (which will also have with a certificate configured). That is true for port 443 in your configuration.

It is not true for every other port in your configuration.

When you instruct haproxy to connect TCP port XYZ on your frontend with TCP port XYZ on your backend server without any other configuration, then haproxy will just connect one TCP socket with another.

The issue is not HTTP mode versus TCP mode. The issue is whether you are terminating SSL or not.

But even if you change the configuration this will not work for many of those ports, because not all those ports are implicit SSL/TLS ports, but some are using the protocol itself to upgrade to SSL at some later stage. This is called STARTTLS. And Haproxy cannot do this STARTTLS, only SSL:

For STMP:

25 → STARTTLS
587 → STARTTLS
465 → SSL

For IMAP:

143 → STARTTLS
993 → SSL

POP3:

110 → STARTTLS
995 → SSL

Topic		Replies	Views
Ssllab still complains about tls 1.0 Help!	1	403	March 3, 2020
Enable TLS 1.0 & TLS 1.1 in haproxy 2.4 Help!	3	2146	March 28, 2023
TCP mode and http/2 backend Help!	6	3571	June 4, 2020
Not working in TCP mode Help!	10	228	July 23, 2024
Getting TLS Handshake errors Help!	0	220	April 18, 2024

HAPRoxy 2.4 not blocking TLSv1.0,1.1 in TCP connections

Related Topics