Hi,
Recently I am trying to configure two type of certificate, (ECC, RSA) I followed this article https://www.haproxy.com/fr/blog/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ But when I’m trying to connect to the server sometimes it works in others it does not.
My configuration:
frontend ssl
bind *:443
bind :::443
mode tcp
option tcplog
tcp-request inspect-delay 5s
use_backend tls-ecc if { req.ssl_ec_ext 1 }
default_backend tls-rsa
backend tls-ecc
mode tcp
server ecc 127.0.0.1:8982 send-proxy-v2
backend tls-rsa
mode tcp
server rsa 127.0.0.1:8983 send-proxy-v2
listen all-ssl
bind 127.0.0.1:8982 accept-proxy ssl crt /etc/haproxy/acme/ecc/myserver.com.pem
bind 127.0.0.1:8983 accept-proxy ssl crt /etc/haproxy/acme/myserver.com.pem
mode http
option tcplog
server server_1 127.0.0.1:80 check
After configured my haproxy I am testing with the following command.
openssl s_client -servername myserver.com -connect myserver.com:443 -cipher ECDHE-ECDSA-AES256-GCM-SHA384
The response of this is random
Bad response:
140125524193472:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1407:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 159 bytes
Verification: OK
---
...
...
Good response:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = myserver.com
verify return:1
---
Certificate chain
0 s:/CN=myserver.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
...
...
Any idea of this problem?