sorry, I forgot to mention this as well, I did the test with specific ciphers, the same as you did, was the same result, so far I’m really puzzled. Is there a way to instruct haproxy to produce more diagnostics from openssl?
@lukastribus i am facing the same problem as well. For me everything works fine with haproxy 2.0 but as soon as i moved to 2.8 i see it nevers loads my RSA certs into CTX . Is there any change in hybrid configuration ?
[root@cucm-8 ~]# ./haproxy -vv
HAProxy version 2.8.5-aaba8d0 2023/12/07 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.5.html
Running on: Linux 4.18.0-372.16.1.el8_6.x86_64 #1 SMP Wed Jul 13 03:56:16 EDT 2022 x86_64
Build options :
TARGET = custom
CPU = generic
CC = cc
CFLAGS = -m64 -march=x86-64 -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
OPTIONS = USE_EPOLL=1 USE_THREAD=1 USE_LINUX_SPLICE=1 USE_OPENSSL=1 USE_SLZ= USE_CPU_AFFINITY=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS
Feature list : -51DEGREES -ACCEPT4 -BACKTRACE -CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE +EPOLL -EVPORTS -GETADDRINFO -KQUEUE -LIBATOMIC -LIBCRYPT -LINUX_CAP +LINUX_SPLICE -LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL -PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION -QUIC -QUIC_OPENSSL_COMPAT -RT -SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD -TFO +THREAD -THREAD_DUMP -TPROXY -WURFL -ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 1.1.1t.***
Running on OpenSSL version : OpenSSL 1.1.1t.***
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built without PCRE or PCRE2 support (using libc's regex instead)
Encrypted password support via crypt(3): no
Built with gcc compiler version 8.5.0 20210514 (Red Hat 8.5.0-10)
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
here is my certificates
[root@cucm-8 ~]# ls -ltr /usr/local/
-rwxr-xr-x. 1 certbase ccmbase 4119 Dec 13 09:00 HAProxy.pem.rsa
-rwxr-xr-x. 1 certbase ccmbase 1173 Dec 13 09:00 HAProxy.pem.ecdsa
here problem was when i connect to my port using below openssl commands it works fine .
openssl s_client -connect localhost:8443 -tls1_3
but all of my below executions it fails to connect.
openssl s_client -connect localhost:8443 -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
openssl s_client -connect localhost:8443 -tls1_2 -cipher ECDHE-ECDSA-AES256-GCM-SHA384
fd[0x9] OpenSSL error[0x1417a0c1] tls_post_process_client_hello: no shared cipher
fd[0x9] OpenSSL error[0x1417a0c1] tls_post_process_client_hello: no shared cipher
I see it negotiates few times and other times it fail with same above error. So it all looks to me was how haproxy loads the ssl context matters here i believe .
So what you are saying is that TLSv1.2 does not work. Not with RSA and not with ECC certificate. So in other words, your problem is unrelated to the certificates, but is related to TLSv1.2.
I suggest you remove some of the more specific configuration and try to find if you can make it work in a standard configuration. This includes npn, curves, prefer-client-ciphers and the global ssl-default-bind-* parameters.
That doesn’t make sense, but can you at least tell us if the number is the same or different (between Built with and Running on)?
Your certificates must also have a CN or a SNI. If that’s not the case you can specify a filter with a crt-list, but clients won’t be able to verify correctly the certificate.