How to silent 'SSL handshake failure' logs

Help!
1

Hey Guys, I recently updated my config to use the latest ciphers and TLS1.2+ version, which should be fine for the valid traffic. However, I’m now seeing a lot of “SSL handshake failure” logs that I suspect are related to non-legitimate traffic. Is there any way to filter out or silence these logs?

global
  chroot  /var/lib/haproxy
  daemon  
  group  haproxy
  hard-stop-after  12h
  log  syslog.example.com:514 len 4096 format rfc5424 syslog
  maxconn  210000
  nbthread  3
  spread-checks  3
  ssl-default-bind-ciphers  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  ssl-default-bind-options  ssl-min-ver TLSv1.2 no-tls-tickets
  ssl-default-server-ciphers  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  ssl-default-server-options  ssl-min-ver TLSv1.2 no-tls-tickets
  stats  socket /var/lib/haproxy/stats uid 0 gid 0 mode 0640 level admin expose-fd listeners
  stats  socket /var/lib/haproxy/monitoring user root group monitoring mode 0660 level user
  stats  bind-process all
  tune.bufsize  16384
  tune.h2.max-concurrent-streams  8096
  tune.maxrewrite  1024
  tune.ssl.cachesize  100000
  tune.ssl.default-dh-param  2048
  tune.ssl.lifetime  600
  ulimit-n  500000
  user  haproxy

defaults
  errorfile  400 /etc/haproxy/errors/400.html
  errorfile  401 /etc/haproxy/errors/401.html
  errorfile  403 /etc/haproxy/errors/403.html
  errorfile  405 /etc/haproxy/errors/405.html
  errorfile  408 /etc/haproxy/errors/408.html
  errorfile  429 /etc/haproxy/errors/429.html
  errorfile  500 /etc/haproxy/errors/500.html
  errorfile  502 /etc/haproxy/errors/502.html
  errorfile  503 /etc/haproxy/errors/503.html
  errorfile  504 /etc/haproxy/errors/504.html
  log  global
  log-format  "{ \"haproxy_log_format\":\"http\", \"haproxy_client_ip\":\"%ci\", \"haproxy_x_forwarded_for\":%{+Q}[capture.req.hdr(2)], \"haproxy_client_port\":\"%cp\", \"haproxy_date_time\":\"%t\", \"haproxy_frontend_name_transport\":\"%ft\", \"haproxy_backend_name\":\"%b\", \"haproxy_server_name\":\"%s\", \"haproxy_total_time\":%TR, \"haproxy_time_establish_tcp\":%Tc, \"haproxy_total_session_duration_time\":%Tt, \"haproxy_connection_handshake_time\":%Th, \"haproxy_bytes_read\":%B, \"haproxy_bytes_uploaded\":%U, \"haproxy_termination_state\":\"%ts\", \"haproxy_process_concurrent_connections\":%ac, \"haproxy_frontend_current_connections\":%fc, \"haproxy_backend_current_connections\":%bc, \"haproxy_server_concurrent_connections\":%sc, \"haproxy_retries\":%rc, \"haproxy_server_queue\":%sq, \"haproxy_backend_source_ip\":\"%bi\", \"haproxy_backend_source_port\":\"%bp\", \"haproxy_backend_queue\":%bq, \"haproxy_req_hrd_host\":%{+Q}[capture.req.hdr(0)], \"haproxy_req_hrd_user_agent\":%{+Q}[capture.req.hdr(1)], \"haproxy_ssl_ciphers\":\"%sslc\", \"haproxy_ssl_version\":\"%sslv\", \"haproxy_http_method\":\"%HM\", \"haproxy_http_ver\":\"%HV\", \"haproxy_request_url\":\"%HU\", \"haproxy_status_code\":%ST }"
  maxconn  120000
  mode  http
  option  redispatch
  option  dontlognull
  retries  3
  timeout  http-request 302s
  timeout  queue 60s
  timeout  connect 5s
  timeout  client 302s
  timeout  server 302s
  timeout  check 1s

haproxy -vv
HAProxy version 2.6.15-1.el7 2023/08/09 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.15.html
Running on: Linux 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_DL=1 USE_SYSTEMD=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY +LUA -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OT +PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -QUIC +RT -SLZ -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=3).
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.4.6
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 4.8.5 20150623 (Red Hat 4.8.5-44)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
	[CACHE] cache
	[COMP] compression
	[FCGI] fcgi-app
	[SPOE] spoe
	[TRACE] trace
2

There’s a couple of options that I can think of. I don’t know of a way to stop just that one message but you could do a few things

  1. Stop logging for that specific frontend

  2. Change the log level for that frontend to not include those level of messages

  3. Filter those messages at rsyslog (assuming that’s your local log client)