Problems for Multi SSL ECC-RSA


#1

Hi,

Recently I am trying to configure two type of certificate, (ECC, RSA) I followed this article https://www.haproxy.com/fr/blog/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ But when I’m trying to connect to the server sometimes it works in others it does not.

My configuration:

frontend ssl
    bind *:443
    bind :::443
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    use_backend tls-ecc if { req.ssl_ec_ext 1 }
    default_backend tls-rsa

backend tls-ecc
    mode tcp
    server ecc 127.0.0.1:8982 send-proxy-v2
 
backend tls-rsa
    mode tcp
    server rsa 127.0.0.1:8983 send-proxy-v2

listen all-ssl
    bind 127.0.0.1:8982 accept-proxy ssl crt /etc/haproxy/acme/ecc/myserver.com.pem
    bind 127.0.0.1:8983 accept-proxy ssl crt /etc/haproxy/acme/myserver.com.pem 
    mode http
    option tcplog
    server server_1 127.0.0.1:80 check

After configured my haproxy I am testing with the following command.

openssl s_client -servername myserver.com -connect myserver.com:443 -cipher ECDHE-ECDSA-AES256-GCM-SHA384

The response of this is random

Bad response:

140125524193472:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40                                                                                                                                 
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 159 bytes
Verification: OK
---
...
...

Good response:

CONNECTED(00000003)                                                                                                                                                                                                                                                             
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3                                                                                                                                                                                                                    
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = myserver.com
verify return:1
---
Certificate chain
 0 s:/CN=myserver.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
...
...

Any idea of ​this problem?


#2

Forget about the TCP frontend, and content-switching based on fetch samples. Haproxy will do the job for you.

Just read the documentation about the crt keyword.


#3

@lukastribus

Thanks it works like a charm.

Regards.