SSL Passthrough tcp mode failed during SSL Handshake

mludy · January 28, 2019, 4:25pm

Hello All,
I fight with this problem for some time now but unable to figure it out.
I tested HProxy SSL Passthrough with simple configuration using listen directive
Here is working sample:

listen my_listener
    bind *:443
    mode tcp
    option tcplog
    balance leastconn
    option ssl-hello-chk
    server app lb-test.xyz:443 check

Now I would like to use SNI to have option to route ssl traffic to multiple backends. First step was to move this configuration to frontend and backend directives:

frontend https
    bind *:443
    mode tcp
    option tcplog
    default_backend app

backend app
  mode tcp
  option tcplog
  balance roundrobin
  option ssl-hello-chk
  server app_backend lb-test.xxx:443 check

Unfortunatelly this configuration is not correct. When I try to test it i got:

curl https://yyy.com -v
* Rebuilt URL to: https://yyyy.com/
*   Trying 18.207.74.42...
* TCP_NODELAY set
* Connected to yyy.com (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error

So it looks communication is not possible because server send hello packet with alert.

Communication to backend works when tried it directly without haproxy:

curl -vvvv https://xxxxx -v
* Rebuilt URL to: https://xxxxx/
*   Trying 55.*.*.*...
* TCP_NODELAY set
* Connected to xxxxxxx (yyyyy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  ..........
* Server certificate:
*............

haproxy version: 1.6.3 2015/12/25

Any ideas appreciated,
Michal

lukastribus · February 7, 2019, 9:34pm

So just to confirm: the former config with “listen my_listener” works find, but the frontend/backend configuration does not?

Are you sure that is the one and only change and it’s exactly like you posted above? I don’t see anything wrong with the new configuration and I find it hard to believe that this change is causing an issue, as haproxy does not know anything about that.

Going back to the listener config restores the service again?

saleh · November 1, 2019, 7:00am

use this backend instead of your backend:

backend app
mode tcp
acl application_1 req_ssl_sni -i www.example.com
use-server server1 if application_1
option ssl-hello-chk
server server1 www.example.com:443 check

RiRa12621 · March 30, 2022, 1:18pm

This thread seems to be a little older but I’m kinda in the same boat.

The idea is to have haproxy in front of a Codeready Containers OpenShift cluster but also send requests to some locally running stuff.
The working configuration for just CrC:

global
    log /dev/log local0

defaults
    balance roundrobin
    log global
    maxconn 100
    mode tcp
    timeout connect 5s
    timeout client 500s
    timeout server 500s

listen apps
    bind 0.0.0.0:80
    server crcvm 192.168.130.11:80 check

listen apps_ssl
    bind 0.0.0.0:443
    server crcvm 192.168.130.11:443 check

listen api
    bind 0.0.0.0:6443
    server crcvm 192.168.130.11:6443 check

With that everything is working as expected but obviously I can’t nicely forward to other services so I tried the following:

frontend http
        bind 0.0.0.0:80
        acl openshift hdr_end(host) -i apps-crc.testing

        use_backend openshift if openshift

frontend https
        bind 0.0.0.0:443
        acl openshift-ssl hdr_end(host) -i apps-crc.testing
        acl promlens hdr(host) -i promlens.rackow.io
        acl prometheus hdr(host) -i prometheus.rackow.io
        acl grafana hdr(host) -i grafana.rackow.io

        use_backend openshift-ssl if openshift-ssl
        use_backend promlens if promlens
        use_backend prometheus if prometheus
        use_backend prometheus if grafana

frontend openshift-api
        bind 0.0.0.0:6443
        mode tcp
        acl openshift-api hdr_end(host) -i crc.testing

        use_backend openshift-api if openshift-api

backend openshift
        server crcvm 192.168.130.11:80 check

backend openshift-ssl
        server crcvm 192.168.130.11:443 check

backend openshift-api
        server crcvm 192.168.130.11:6443 check

backend promlens
        server docker 127.0.0.1:8080 check

backend prometheus
        server docker 127.0.0.1:9090 check

backend grafana
        server docker 127.0.0.1:3000 check

but when doing that something seems to go wrong.
In the logs I get:

Mar 30 14:11:27 clouder haproxy[85060]: 100.80.200.95:53412 [30/Mar/2022:14:11:27.054] openshift-api openshift-api/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0

and the client that tries the request just returns and EOF.

To my understanding I just did the same thing in different ways?

Topic		Replies	Views
Mixing mode tcp and http - SSL termination and Passthrough Help!	17	38140	December 7, 2023
SSL Passthrough Not Working Help!	2	8590	March 18, 2020
Mixing TLS termination and SNI passthrough in one haproxy configuration Help!	3	6737	July 29, 2019
TCP mode and http/2 backend Help!	6	3628	June 4, 2020
Multiple port 443 backends - TCP mode Help!	3	2139	November 9, 2018

SSL Passthrough tcp mode failed during SSL Handshake

Related topics