HAProxy configure OpenSSL version

fwh-dc · August 28, 2024, 9:43am

We have a system that has two versions of OpenSSL installed: 1.1.1 and 3.0.

We run HAProxy 2.6 which automatically loads OpenSSL 1.1.1. Is there a way to manage the OpenSSL version selection?

mrit · August 29, 2024, 6:54am

you have to compile your haproxy version. there you can set the openssl lib path to link to version 3.x

fwh-dc · August 30, 2024, 9:39am

Okay, we only want to use an off-the-shelf HAProxy, so I consider this a missing feature then. I’ll create a feature request.

lukastribus · August 30, 2024, 11:24am

An application needs to be linked with the correct library and loaded with the corresponding shared object.

For example you cannot link Haproxy to openssl 3.0.0 and then load OpenSSL 1.1.1, it does not work this way.

If you want a choice on your off the shelf systems, you’d have to ask your off the shelf system provider to provide different haproxy binaries, based on your wishes. This is not up to the application.

If you have haproxy linked and running with openssl 1.1.1 be glad - OpenSSL 3 performance is terrible in multithreaded applications like haproxy.

fwh-dc · August 30, 2024, 12:31pm

Yes you are right for the 1.1.1 → 3.0 case.
For the case were I have 3.0 and 3.1 installed it should be possible, because OpenSSL ensures ABI compatibility between versions?

I was confused because HAProxy 2.6 has support for configuration of OpenSSL providers which is an OpenSSL 3+ feature. Seems like newer versions of HAProxy are built against OpenSSL version 3+ so I will upgrade HAProxy to use OpenSSL providers.

lukastribus · August 30, 2024, 12:53pm

Backwards yes, forwards no.

3.0 can’t have 3.1 ABI or APIs.

The haproxy version has nothing to do with the openssl version, this depends on build/packaging only.

lukastribus · August 31, 2024, 5:33pm

Clarification, even if backwards compatibility is theoretically given, this is not a supported configuration.

Haproxy specifically implements a warning in the haproxy -vv output:

fwh-dc · September 1, 2024, 6:26pm

API/ABI compatibility is guaranteed for the same major version.
Reference:
https://docs.openssl.org/3.2/man7/ossl-guide-migration/#versioning-scheme

I understand now that HAProxy 2.6 can be built with OpenSSL 1.1.1 or 3.x, but it was a bit confusing (to me at least) to support 1.1.1 when there exists configuration options that are not supported for 1.1.1 i.e. provider configuration options.

So my original suggestion still applies imo.

lukastribus · September 1, 2024, 6:49pm

What I meant is what haproxy actually supports, not what openssl claims is compatible.

No, as answered already the application (haproxy) does not decide what it will be linked with and neither does it decide what shared object it will load when running.

Topic		Replies	Views
Compile Haproxy with a Different Version of Openssl Help!	2	1216	October 17, 2023
Query regarding HAProxy and OpenSSL Help!	4	895	November 25, 2018
Trouble with getting TLS 1.3 working on Ubuntu 16.04 Help!	2	1743	February 24, 2020
Haproxy 2.04 with openssl 1.1.1 TLS 1.3 not working Help!	25	8335	August 14, 2019
Use different TLS versions Help!	10	7043	July 16, 2020

HAProxy configure OpenSSL version

Related topics