Hi !
Since we have updated our linux server, HAProxy are uanble to connect to our IIS backend server
Before the update, everything worked fine, even if the certificat on IIS was self-seigned and expired.
And can connect with FireFox, Chrome, Edge localy on the backend server with TLS 1.2 cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
I’m running HAProxy 2.4.22, the version available on Ubuntu 22.04.03
I have tried many thing, but now, I’m out of idea.
Thank you
Here is our config :
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-options ssl-min-ver TLSv1.1 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:@SECLEVEL=1
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 100000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend Local_Server
bind *:80
bind *:443 ssl crt /etc/haproxy/ssl_self/domain.ca.pem crt /etc/haproxy/ssl/
mode http
acl rdgw_path path_beg -i /remoteDesktopGateway/
acl dns_sub hdr(host) sub.domain.ca
http-request deny if rdgw_path dns_sub
redirect scheme https code 301 if !host_allow_http !{ ssl_fc }
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
use_backend Other_Server if { ssl_fc_sni sub.domain.ca }
default_backend Backend_ServerHTTP
backend letsencrypt-backend
server letsencrypt 127.0.0.1:83
backend Backend_ServerHTTP
mode http
option forwardfor header X-Client
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server noname 192.168.18.14:80
backend Other_Server
mode http
log global
timeout connect 4s
timeout server 300s
option httpchk GET /RDWeb
cookie RDGW insert nocache
server srv-1 192.168.0.30:443 check ssl verify none force-tlsv11
Here is the log after a restart of haproxy
Jan 11 16:34:29 srv-ubuntux64 haproxy[53339]: [WARNING] (53339) : Exiting Master process...
Jan 11 16:34:29 srv-ubuntux64 haproxy[53339]: [NOTICE] (53339) : haproxy version is 2.4.22-0ubuntu0.22.04.3
Jan 11 16:34:29 srv-ubuntux64 haproxy[53339]: [NOTICE] (53339) : path to executable is /usr/sbin/haproxy
Jan 11 16:34:29 srv-ubuntux64 haproxy[53339]: [ALERT] (53339) : Current worker #1 (53341) exited with code 143 (Terminated)
Jan 11 16:34:29 srv-ubuntux64 haproxy[53339]: [WARNING] (53339) : All workers exited. Exiting... (0)
Jan 11 16:34:30 srv-ubuntux64 haproxy[57679]: [NOTICE] (57679) : New worker #1 (57681) forked
Jan 11 16:34:32 srv-ubuntux64 haproxy[57681]: Server Other_Server/srv-1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 7ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jan 11 16:34:32 srv-ubuntux64 haproxy[57681]: Server Other_Server/srv-1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 7ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jan 11 16:34:32 srv-ubuntux64 haproxy[57681]: backend Other_Server has no server available!
Jan 11 16:34:32 srv-ubuntux64 haproxy[57681]: [WARNING] (57681) : Server Other_Server/srv-1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 7ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Jan 11 16:34:32 srv-ubuntux64 haproxy[57681]: [NOTICE] (57681) : haproxy version is 2.4.22-0ubuntu0.22.04.3
Jan 11 16:34:32 srv-ubuntux64 haproxy[57681]: [NOTICE] (57681) : path to executable is /usr/sbin/haproxy
Jan 11 16:34:32 srv-ubuntux64 haproxy[57681]: [ALERT] (57681) : backend 'Other_Server' has no server available!
Here is the result of " curl -vv https://srv-1:443 "
* Trying 192.168.0.30:443...
* Connected to srv-1 (192.168.0.30) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to srv-1:443
* Closing connection 0
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to srv-1:443
And with " openssl s_client -connect srv-1:443 "
CONNECTED(00000003)
write:errno=104
--
no peer certificate available
--
No client certificate CA names sent
--
SSL handshake has read 0 bytes and written 297 bytes
Verification: OK
--
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
And with " openssl s_client -connect srv-1:443 -tls1_1 "
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = SRV-1
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SRV-1
verify error:num=10:certificate has expired
notAfter=Jan 14 00:00:00 2021 GMT
verify return:1
depth=0 CN = SRV-1
notAfter=Jan 14 00:00:00 2021 GMT
verify return:1
4097321C9A7F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:../ssl/statem/statem_clnt.c:2248:
---
Certificate chain
0 s:CN = SRV-1
i:CN = SRV-1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Jan 14 15:14:29 2020 GMT; NotAfter: Jan 14 00:00:00 2021 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDAjCCAeqgAwIBAgIQORyVs1VB6btMoF3PFz2GojANBgkqhkiG9w0BAQUFADAq
................................................................
lZ7AGZJs
-----END CERTIFICATE-----
subject=CN = SRV-1
issuer=CN = SRV-1
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1209 bytes and written 111 bytes
Verification error: certificate has expired
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID: 714C0000440E751B6CFD83BD164C14A2E784C0C710FAAEA8BD0481C9DD990637
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1704991784
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: yes
---