HAProxy community

Query regarding HAProxy and OpenSSL


#1

Experts looking for some authentic answer on Haproxy and OpenSSL.

• What is the most recent version of HAProxy that will work with OpenSSL 1.0.2 (or close to that version at version).

• What is the oldest version of OpenSSL that works with the newest version of HAProxy.

Appreciate any quick response on that.

Thanks

ALe


#2

All current stable releases as well as the development tree support openssl-1.0.2 and will do for a long time. There are no plans to drop OpenSSL 1.0.2 support. If it doesn’t build, it’s a bug that will be fixed.

Haproxy 1.8 and later support both OpenSSL 1.1.0 and 1.1.1. Haproxy 1.8.15 will introduce a new options to configure TLSv1.3 ciphers, but that doesn’t mean older 1.8 releases can’t be used for OpenSSL 1.1.1 and TLSv1.3, it’s just that the TLSv1.3 ciphersuites are not configurable within haproxy.


#3

Hey Lukas,

Appreciate your response. We are planning to use our own FIPS module with HAproxy. For that we have so far tested the integration using OpenSSL 1.0.2.

So most probably we planning to use OpenSSL 1.0.2 with latest Haproxy version i-e 1.8. So again to reconfirm the latest Haproxy 1.8 (latest stable) has support for OpenSSL 1.0.2? and what is the lowest OpenSSL version has support with latest HAproxy version(stable).

Thanks


#4

Reconfirming, OpenSSL 1.0.2 works fine with Haproxy 1.8.

Even OpenSSL 0.9.8 still works with Haproxy 1.8:

lukas@dev:~/haproxy-1.8$ ./haproxy  -vv
HA-Proxy version 1.8.14-a873c1-41 2018/10/29
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_OPENSSL=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 0.9.8zg 11 Jun 2015
Running on OpenSSL version : OpenSSL 0.9.8zg 11 Jun 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built without PCRE or PCRE2 support (using libc's regex instead)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

lukas@dev:~/haproxy-1.8$

If you are developing a new openssl module, I would suggest you do that with OpenSSL 1.1.1 instead though. Upstream OpenSSL will drop support for OpenSSL 1.0.2 in about a year:

https://www.openssl.org/policies/releasestrat.html

OpenSSL 1.1.1 is where you want to base your development effort on.


#5

Hey @lukastribus thanks again for your response. I’ll convey this to our development team.

Cheers

Ali