HAProxy with Old SHA1 Backend

Aaron · April 30, 2024, 7:22pm

Hello. I have a working HAProxy server, but I’m trying to add a backend that is very old and only uses SHA1.

On my listen directive, I have ssl-min-ver TLSv1.2. But I’m thinking this wouldn’t have anything to do with the backend?

My backend is configured as:
server novell 192.168.1.54:443 ssl verify none

However, when I try and access it through HAProxy, logs show:
OpenSSL error[0xa000152] final_renegotiate: unsafe legacy renegotiation disabled

Then it returns Error 503 Server unavailable.

How can I get my old server proxied through HAProxy?

Aaron · April 30, 2024, 9:28pm

Ok, after further research, I know this is an OpenSSL issue. I recently upgraded to Debian 12 on this server and it installed OpenSSL 3.0.11 and this removed TLSv1 completely. But, why wouldn’t “verify none” overcome this and ignore the unsecure certificate from the backend? Am I just out of luck? Is there no way to get this working?

Aaron · June 3, 2024, 7:31am

Dumb. Nobody ever replies on this form when asking for help.

Aaron · June 3, 2024, 8:59am

Ok. Finally figured it out… I knew it was an OpenSSL issue, but since nobody on here seems to assist, I searched and searched.

Found this: docker - What to do if CipherString = DEFAULT@SECLEVEL=1 in openssl 3 configuration file is not working - Stack Overflow

This explains how to enable TLSv1 for OpenSSL… This didn’t completely fix the issue though. I also had to add the following line under [tls_system_default]:
Options = UnsafeLegacyServerConnect

Hopefully this post at least helps someone else.

wlallemand · June 3, 2024, 9:19am

HAProxy 3.0 has the ssl-security-level keyword that allows you to set it directly in haproxy without changing the openssl.cnf which affects the whole system configuration.

http://docs.haproxy.org/3.0/configuration.html#ssl-security-level

wlallemand · June 3, 2024, 3:19pm

When using OpenSSL 3 you need a seclevel of 0 because sha1 is still disabled with seclevel=1.

https://www.openssl.org/docs/man3.3/man3/SSL_CTX_set_security_level.html

Note that signatures using SHA1 and MD5 are also forbidden at this level as they have less than 80 security bits

wlallemand · June 3, 2024, 6:05pm

I started to write an FAQ to help people debugging that kind of issues:

Topic		Replies	Views
SSL connections with non-SSL backend Help!	3	7043	December 4, 2017
Issue with ISS backend Help!	2	466	January 12, 2024
Enable TLS 1.0 & TLS 1.1 in haproxy 2.4 Help!	3	2146	March 28, 2023
Ha proxy as reverse proxy as WA for tlsv1.2->tlsv1 Help!	7	1274	January 14, 2020
Use different TLS versions Help!	10	7014	July 16, 2020

HAProxy with Old SHA1 Backend

Related Topics