TCP - Check ssl question

amir · July 10, 2017, 12:49pm

Hi ,
I have IMAP servers which configure to work in TLS.

I would like HAProxy to impelment SSL healthcheck to backend servers without
verifying the certificate .
I still would like IMAP client to perform SSL handshake before getting the imap banner
(greeting).

when i use “check ssl verify none” in the server line, IMAP client doesn’t require to perform SSL handshake get the banner without SSL handshake .

“check ssl verify none”:
root@t2-ngvm-proxy-au1 ~]# telnet 0 50443
Trying 0.0.0.0…
Connected to 0.
Escape character is ‘^]’.

OK IMAP4 proxy ready (Multi Interface Supplementing Tunnel)

when i use “check verify none” (with out “ssl” string in the serve line) , IMAP client doesn’t get the banner and require to perform SSL handshake (as expected).

“check verify none” (with out ssl string in the server line):
[root@t2-ngvm-proxy-au1 ~]# telnet 0 50443
Trying 0.0.0.0…
Connected to 0.
Escape character is ‘^]’.

My questions are:
1.Which configuration is the proper one for my needs ?(seems like with out ssl string in the server line)
2.when using “check verify none” (with out “ssl” string in the serve line) , does HAProxy
still check SSL (healthcheck) and banner toward the back-end servers ?

see the configuration below:

listen HAProxy_VVM
log global
option tcplog
mode tcp
bind :50443 name S_SSL
balance roundrobin
option tcp-check
tcp-check connect port 50443 ssl
tcp-check expect string *\ OK
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000
server T004-vi-cas-au1 10.45.156.252 check verify none inter 30000
server T004-vi-cas-au2 10.45.156.253 check verify none inter 30000

Thanks !

lukastribus · July 10, 2017, 1:39pm

What you need is “check-ssl”, not “check ssl”:
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#check-ssl

amir · July 11, 2017, 1:24pm

Thanks a lot !
I will test it as it seems works good now.

amir · July 12, 2017, 7:38am

Hi,
after configure in teh server line “check-ssl” i noticed the following:

IMAP client required to implement SSL handshake before the imap session (expected
result)
HAPProxy stop monitoring (health-check) backend servers (not excepted result)
Not SSL health-check
Not banner health-check

see the configuration below:

listen HAProxy_VVM
log global
option tcplog
mode tcp
bind :50443 name S_SSL
balance roundrobin
option tcp-check
tcp-check connect port 50443 ssl
tcp-check expect string *\ OK
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000
server T004-vi-cas-au1 10.45.156.252 check-ssl verify none inter 30000
server T004-vi-cas-au2 10.45.156.253 check-ssl verify none inter 30000

lukastribus · July 12, 2017, 8:36am

Indeed you are already declaring the ssl keyword in the “tcp-check” directive, so check-ssl is not needed. Just using “check” is the correct configuration then.

You don’t use the ssl keyword anywhere in the configuration except as keyword for tcp-check.

Whatever the TCP payload, it will transparently be passed to the backend server.

Careful: this configuration is for IMAPS (Port 993) - and IMAPS does not have an unencrypted imap banner.
IMAP with StartTLS is something entirely different, and DOES NOT require ssl for health checks.

amir · July 12, 2017, 9:39am

Thank you for the clear and comprehensive answer !
Now after the configuration both IMAP client and HAProxy health-check function as expected
Thanks

Topic		Replies	Views
No SSL on TCP Check Help!	5	6175	August 16, 2019
Is 'ssl verify none' work for self-signed certificate in tcp mode helthcheck? Help!	18	47234	December 16, 2020
Haproxy SSL/TLS Passthrough Proxy not working? Help!	1	808	April 4, 2022
Why does health checking break my TCP proxy Help!	1	4402	June 6, 2016
HAProxy in `mode tcp` accepts HTTP with HTTPS backend Help!	1	606	March 3, 2020

TCP - Check ssl question

Related Topics