HAProxy support of AWS cloudHSM

Does HAProxy support connecting to an AWS cloudHSM.

Is there a way to configure the openssl engine to work in this setup. I’ve tried patching together details from the following guides for Apache and Ngnix and didn’t get anywhere

https://docs.aws.amazon.com/cloudhsm/latest/userguide/openssl-library-install.html#w317aac15c12c11c13b5b2b3b3

I created the ssl pem with the cert chain pem and fake secret key pem but it doesn’t work, I suspect the engine in play doesn’t expect the secret key pem.

Any help appreciated.

You can specify the openssl engine in the haproxy configuration.

But thats about it.

I cannot walk you trough the setup with cloudHSM, because I don’t know anything about it (or the setup with custom openssl engines).

Thanks @lukastribus I think I need to upgrade my haproxy to verion 1.8 to use this feature.

If anyone has any sample configurations I’d really appreciate it. My Googling skills are letting me down or there are none available online.

As far as I can see haproxy should be pretty much unaware of how openssl deals with the requests once an apropriate engine is configured correctly, its the method of configuring said engines particularly with amazon cloudHSM which would be the holy grail.

1 Like

So just by means of an update after updating to haproxy 1.8 and specifying the ssl-engine cloudhsm everything is working as advertised.

Hopefully this will help someone else in the future.

1 Like

Openssl 1.1 is end of life, and Openssl 3 doesn’t use engines anymore. Is there a way to get this to work with Openssl 3?