Problems for Multi SSL ECC-RSA


Recently I am trying to configure two type of certificate, (ECC, RSA) I followed this article But when I’m trying to connect to the server sometimes it works in others it does not.

My configuration:

frontend ssl
    bind *:443
    bind :::443
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    use_backend tls-ecc if { req.ssl_ec_ext 1 }
    default_backend tls-rsa

backend tls-ecc
    mode tcp
    server ecc send-proxy-v2
backend tls-rsa
    mode tcp
    server rsa send-proxy-v2

listen all-ssl
    bind accept-proxy ssl crt /etc/haproxy/acme/ecc/
    bind accept-proxy ssl crt /etc/haproxy/acme/ 
    mode http
    option tcplog
    server server_1 check

After configured my haproxy I am testing with the following command.

openssl s_client -servername -connect -cipher ECDHE-ECDSA-AES256-GCM-SHA384

The response of this is random

Bad response:

140125524193472:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40                                                                                                                                 
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 159 bytes
Verification: OK

Good response:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3                                                                                                                                                                                                                    
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate

Any idea of ​this problem?

Forget about the TCP frontend, and content-switching based on fetch samples. Haproxy will do the job for you.

Just read the documentation about the crt keyword.


Thanks it works like a charm.