Library does not support TLS ALPN extension


#1

Hello,

When trying to enable http2 on latest haproxy 1.8.1 i’m always getting a “library does not support TLS ALPN extension” error.

By default i try:

frontend http2
bind *:443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1

CentOS Linux release 7.4.1708
OpenSSL 1.0.2k-fips 26 Jan 2017

But I also try to do the same with the latest OpenSSL 1.0.2n and with the no-shared param as described in this tutorial:
http://m12.io/blog/http-2-with-haproxy-and-nginx-guide

No luck. Any thoughts?

Thank you


#2

Your not compiling it correctly.

Provide the output of “haproxy -vv” and all the commands you use to compile both openssl and haproxy.


#3

Hello Lukas,

I also try a few other things but mostly like the tutorial.

I first tried just to compile haproxy 1.8.1 with the Centos 7 openssl-1.0.2k on the system, and did not work.

Then I try to compile the new openssl-1.0.2n locally as described in the haproxy readme:

export STATICLIBSSL=/tmp/staticlibssl ./config --prefix=STATICLIBSSL no-shared make && make install_sw
/tmp/staticlibssl/bin/openssl version OpenSSL 1.0.2n 7 Dec 2017

Then haproxy 1.8.1:

$ make TARGET=linux2628 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=STATICLIBSSL/lib ADDLIB=-ldl make install
$ haproxy -vv

HA-Proxy version 1.8.1 2017/12/03
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 USE_PCRE_JIT=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2n 7 Dec 2017
Running on OpenSSL version : OpenSSL 1.0.2n 7 Dec 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

Then added the ALPN line to haproxy.cfg:

frontend http2 bind *:443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
$ haproxy restart

Dec 12 22:27:13 testing1 haproxy-systemd-wrapper[5972]: [ALERT] 345/222713 (5973) : parsing [/etc/haproxy/haproxy.cfg:131] : ‘bind *:443’ : ‘alpn’ : library does not support TLS ALPN extension

:frowning:

Thank you!


#4

You are starting the haproxy-systemd-wrapper which haproxy 1.8 does not have anymore. This means you are using the old systemd-wrapper from haproxy 1.7.

Delete the file haproxy-systemd-wrapper and fix your startup scripts, so that the correct executable is used.

Also Centos 7.4 has OpenSSL 1.0.2 build-in, you don’t even have to compile it yourself.


#5

You are right! That seems to be the problem with the ALPN. Thank you!

Yet i found another issue, haproxy doesnt seems to auto get the openssl libs from the system.

make TARGET=linux2628 or make TARGET=linux2628 USE_OPENSSL=1 make install
$ haproxy -vv …gives no openssl support and ssl params on the .cfg dont work.

I was able to do so by introducing SSL_INC and SSL_LIB but shouldn’t it get from the system?

Thank you


#6

Did you install the dev headers?

yum install openssl-devel