Strange cipher issue

Hi ,
I am struggling with a cipher issue and would request your input.
The haproxy is built with opensssl.I am trying to use “ssl-default-bind-ciphersuites” is global section. But haproxy compalns as

"unknown keyword ‘ssl-default-bind-ciphersuites’ in ‘global’ section"

where as it does not complain about “ssl-default-bind-options”.

Would appreciate much if you can guide me, on what I am doing wrong…

Following is my global and default section in my haproxy.cfg.

ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphersuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
log stdout format raw local0 debug
tune.ssl.default-dh-param 2048
user otn
group otn
tune.http.maxhdr 32767

tune.maxrewrite 1024

    tune.bufsize 163840

mode http
log global
option http-server-close
option httplog
option dontlognull
option redispatch
option forwardfor
retries 3
backlog 4096
timeout client 30m
timeout connect 1m
timeout server 30m
timeout tunnel 30m
timeout http-request 60m
timeout queue 10s
maxconn 10000
option accept-invalid-http-response
default-server inter 3s rise 2 fall 3 init-addr last,libc,none

haproxy -vv

HA-Proxy version 2.0.14 2020/04/02 -
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits


Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=12).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
: mode=HTX side=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

thanks a lot.

1 Like

ssl-default-bind-ciphersuites is for TLSv1.3 only and requires OpenSSL 1.1.1, just as the documentation says:

This setting is only available when support for OpenSSL was built in and OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string describing the list of cipher algorithms (“cipher suite”) that are negotiated during the TLSv1.3 handshake for all “bind” lines which do not explicitly define theirs.

Maybe you want ssl-default-bind-ciphers instead?

1 Like

Another thing:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 is a =< TLSv1.2 cipher, it’s also the IANA name, not the Openssl name, so this needs to be a) ssl-default-bind-ciphers and b) DHE-RSA-AES256-GCM-SHA384 :

ssl-default-bind-ciphers DHE-RSA-AES256-GCM-SHA384

@tridevk So kind of you for this post. Actually i was facing same problem i tried my best but all in wane. Then i saw your post it gave my error solution. Thanks for sharing the solution of this error. :slightly_smiling_face:

My Apologies for not coming back earlier.
Thank you @lukastribus for pointing out the ssl version and suggestion to ssl-default-bind-ciphers.

it worked brilliantly.
Thank you again.