During wolfssl compilation on a fresh Ubuntu 22.04 we can see:
Libraries have been installed in:
/opt/wolfssl-5.6.4/lib
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the 'LD_RUN_PATH' environment variable
during linking
- use the '-Wl,-rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to '/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
As such, we need to add LD_LIBRARY_PATH
:
root@ubuntu-2gb-hel1-1:~/haproxy-2.8# ./haproxy -vv
./haproxy: error while loading shared libraries: libwolfssl.so.41: cannot open shared object file: No such file or directory
root@ubuntu-2gb-hel1-1:~/haproxy-2.8# ldd ./haproxy
linux-vdso.so.1 (0x00007ffff8749000)
libwolfssl.so.41 => not found
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f080aaad000)
/lib64/ld-linux-x86-64.so.2 (0x00007f080b02e000)
root@ubuntu-2gb-hel1-1:~/haproxy-2.8#
root@ubuntu-2gb-hel1-1:~/haproxy-2.8# LD_LIBRARY_PATH=/opt/wolfssl-5.6.4/lib ldd haproxy
linux-vdso.so.1 (0x00007ffd621ed000)
libwolfssl.so.41 => /opt/wolfssl-5.6.4/lib/libwolfssl.so.41 (0x00007fcad83e6000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcad81b8000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fcad80d1000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcad8a53000)
root@ubuntu-2gb-hel1-1:~/haproxy-2.8# LD_LIBRARY_PATH=/opt/wolfssl-5.6.4/lib ./haproxy -vv
HAProxy version 2.8.5 2023/12/07 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.5.html
Running on: Linux 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64
Build options :
TARGET = generic
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
OPTIONS = USE_OPENSSL_WOLFSSL=1 USE_QUIC=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS
Feature list : -51DEGREES -ACCEPT4 -BACKTRACE -CLOSEFROM -CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS -GETADDRINFO -KQUEUE -LIBATOMIC -LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL +OPENSSL_WOLFSSL -OT -PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL -PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT -RT -SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD -TFO -THREAD -THREAD_DUMP +TPROXY -WURFL -ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : wolfSSL 5.6.4
Running on OpenSSL version : wolfSSL 5.6.4
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built without multi-threading support (USE_THREAD not set).
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built without PCRE or PCRE2 support (using libc's regex instead)
Encrypted password support via crypt(3): no
Built with gcc compiler version 11.4.0
Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 2 (2 usable), will use poll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
root@ubuntu-2gb-hel1-1:~/haproxy-2.8#
A quick test with SSL configuration in the frontend (classic SSL termination example) on the haproxy server reveals that everything works just fine.
defaults
mode http
timeout client 10s
timeout server 10s
timeout connect 10s
global
maxconn 10
frontend a
bind :443 ssl crt /root/openssl-cert/combined.pem
default_backend b
backend b
http-request return status 200 content-type "text/plain" string "ok"
Running haproxy:
root@ubuntu-2gb-hel1-1:~/haproxy-2.8# LD_LIBRARY_PATH=/opt/wolfssl-5.6.4/lib ./haproxy -f /root/openssl-cert/haproxy.cfg -d
Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 2 (2 usable), will use poll.
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Using poll() as the polling mechanism.
00000000:a.accept(0003)=0006 from [127.0.0.1:54620] ALPN=h2
00000000:a.clireq[0006:ffffffff]: GET https://localhost/ HTTP/2.0
00000000:a.clihdr[0006:ffffffff]: host: localhost
00000000:a.clihdr[0006:ffffffff]: user-agent: curl/7.81.0
00000000:a.clihdr[0006:ffffffff]: accept: */*
00000000:b.clicls[0006:ffff]
00000000:b.closed[0006:ffff]
00000001:a.accept(0003)=0006 from [127.0.0.1:59182] ALPN=h2
00000001:a.clireq[0006:ffffffff]: GET https://localhost/ HTTP/2.0
00000001:a.clihdr[0006:ffffffff]: host: localhost
00000001:a.clihdr[0006:ffffffff]: user-agent: curl/7.81.0
00000001:a.clihdr[0006:ffffffff]: accept: */*
00000001:b.clicls[0006:ffff]
00000001:b.closed[0006:ffff]
^C
Running a client against it:
root@ubuntu-2gb-hel1-1:~# curl -vvvk https://localhost
* Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=NG; ST=Rivers; L=PHC; O=Mono Finance; OU=Finance; CN=*.monofinance.net; emailAddress=mrikehchukwuka@gmail.com
* start date: Dec 18 16:05:24 2023 GMT
* expire date: Feb 16 16:05:24 2024 GMT
* issuer: C=NG; ST=Rivers; L=Choba; O=Mono Institution; OU=Finance; CN=*.monoinstitute.net; emailAddress=monoinstitute@gmail.com
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55ca66d12e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: localhost
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< content-length: 2
< content-type: text/plain
<
* Connection #0 to host localhost left intact
okroot@ubuntu-2gb-hel1-1:~#
root@ubuntu-2gb-hel1-1:~#
root@ubuntu-2gb-hel1-1:~# curl -k https://localhost
okroot@ubuntu-2gb-hel1-1:~#