Logging server name on failed SSL handshakes

danny · December 8, 2021, 11:38am

Hello,

I’m interested in logging failed SSL handshakes, and require knowing which server name was sent in the SNI request (we occasionally get requests for domains which still don’t have a certificate and would like to generate one for them).
I’ve tried using ssl_fc_err_str and ssl_fc_sni, but couldn’t log the server name. ssl_fc_sni is empty (-). Can someone help?

HAProxy version 2.5.0-1~bpo10+1 2021/11/26 - https://haproxy.org/
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes

Thanks,
Danny

lukastribus · December 8, 2021, 5:01pm

Are you running with strict-sni enabled, or why is it that the handshake fails?

SSL logging was improved in haproxy 2.5, you should use the following features:

HTTPS log format and especially the Error log format

danny · December 8, 2021, 8:02pm

Thanks for the reply.

I am running with strict-sni, the handshake fails because the certificate is missing for the specified domain. I serve a great deal of certificates and in some cases they are missing and I need to generate them.

As you can see we are using haproxy 2.5. however I couldn’t find any way to log the server name requested in the SNI in the error log. I assumed it would be ssl_fc_sni but it is blank. I might be missing something there.

lukastribus · December 8, 2021, 8:20pm

Did you use error-log-format ?

danny · December 8, 2021, 9:00pm

Yes, I’ve tried quite a few variations on it.
For example this one:

error-log-format “%ci:%cp [%tr] %ft %ac/%fc %[ssl_fc_sni] %[fc_err] %[bc_err] “%[fc_err_str]” “%[ssl_fc_err_str]””

I couldn’t find a parameter that holds the server name.

lukastribus · December 9, 2021, 12:16am

I’ve filed a bug:

github.com/haproxy/haproxy

error-log-format: ssl_fc_sni always empty

opened 12:15AM - 09 Dec 21 UTC

lukastribus

type: bug status: needs-triage

### Detailed Description of the Problem When using error-log-format with %[ss…l_fc_sni], we never actually return a SNI value. ### Expected Behavior Return SNI value. ### Steps to Reproduce the Behavior 1. use error-log-format with ssl_fc_sni (as per the documentation) 2. trigger a SSL handshake failure (for example with mismatching SSL versions, ciphers or SNI with strict-sni) ### Do you have any idea what may have caused this? Maybe when triggering an handshake error the SNI value is already destroyed or not properly initialized. ### Do you have an idea how to solve the issue? If this is fixable in the code: OK; if not, we should document this limitation and remove `ssl_fc_sni` from the `error-log-format` example. ### What is your configuration? ```haproxy global maxconn 100 log 10.0.0.4 syslog debug chroot /tmp/ defaults mode http timeout connect 10s timeout client 60s timeout server 60s timeout http-request 5s timeout http-keep-alive 2s timeout tunnel 10s option httplog log global log-format %[ssl_fc_sni] frontend my-https-frontend bind :443 ssl ssl-min-ver SSLv3 ssl-max-ver TLSv1.0 crt /mycert.pem error-log-format "%ci:%cp [%tr] %ft %ac/%fc %[fc_err] %[ssl_fc_err,hex]/%[ssl_c_err]/%[ssl_c_ca_err]/%[ssl_fc_is_resumed] %[ssl_fc_sni]/%sslv/%sslc" option httpslog ``` ### Output of `haproxy -vv` ```plain HAProxy version 2.5.0-26f4e1-16 2021/12/03 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2023. Known bugs: http://www.haproxy.org/bugs/bugs-2.5.0.html Running on: Linux 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 DEBUG = Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL -LUA +ACCEPT4 -CLOSEFROM -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=2). Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with network namespace support. Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Support for malloc_trim() is enabled. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built without PCRE or PCRE2 support (using libc's regex instead) Encrypted password support via crypt(3): yes Built with gcc compiler version 7.5.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG <default> : mode=TCP side=FE|BE mux=PASS flags= none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG Available services : none Available filters : [SPOE] spoe [CACHE] cache [FCGI] fcgi-app [COMP] compression [TRACE] trace ``` ### Last Outputs and Backtraces _No response_ ### Additional Information Initially reported at https://discourse.haproxy.org/t/logging-server-name-on-failed-ssl-handshakes/7180/5

danny · December 9, 2021, 5:57am

Thank you very much!

Topic		Replies	Views
How can I set for verbose logging for SSL Handshake failures Help!	4	5958	June 2, 2023
Client Side Certificate SSL - Error Loging for HAProxy Help!	1	1812	June 16, 2016
Log-format for failed TLS Help!	1	495	April 6, 2021
SSL handshake failure - TCP FIN Help!	1	798	July 28, 2017
REQ_SSL_SNI and SSL termination Help!	2	9230	March 19, 2018

Logging server name on failed SSL handshakes

Related Topics