HAProxy community

SSL Passthrough tcp mode failed during SSL Handshake


#1

Hello All,
I fight with this problem for some time now but unable to figure it out.
I tested HProxy SSL Passthrough with simple configuration using listen directive
Here is working sample:

listen my_listener
    bind *:443
    mode tcp
    option tcplog
    balance leastconn
    option ssl-hello-chk
    server app lb-test.xyz:443 check 

Now I would like to use SNI to have option to route ssl traffic to multiple backends. First step was to move this configuration to frontend and backend directives:

frontend https
    bind *:443
    mode tcp
    option tcplog
    default_backend app

backend app
  mode tcp
  option tcplog
  balance roundrobin
  option ssl-hello-chk
  server app_backend lb-test.xxx:443 check

Unfortunatelly this configuration is not correct. When I try to test it i got:

curl https://yyy.com -v
* Rebuilt URL to: https://yyyy.com/
*   Trying 18.207.74.42...
* TCP_NODELAY set
* Connected to yyy.com (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error

So it looks communication is not possible because server send hello packet with alert.

Communication to backend works when tried it directly without haproxy:

curl -vvvv https://xxxxx -v
* Rebuilt URL to: https://xxxxx/
*   Trying 55.*.*.*...
* TCP_NODELAY set
* Connected to xxxxxxx (yyyyy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  ..........
* Server certificate:
*............

haproxy version: 1.6.3 2015/12/25

Any ideas appreciated,
Michal


#2

So just to confirm: the former config with “listen my_listener” works find, but the frontend/backend configuration does not?

Are you sure that is the one and only change and it’s exactly like you posted above? I don’t see anything wrong with the new configuration and I find it hard to believe that this change is causing an issue, as haproxy does not know anything about that.

Going back to the listener config restores the service again?