TCP - Check ssl question


#1

Hi ,
I have IMAP servers which configure to work in TLS.

  1. I would like HAProxy to impelment SSL healthcheck to backend servers without
    verifying the certificate .
  2. I still would like IMAP client to perform SSL handshake before getting the imap banner
    (greeting).

when i use “check ssl verify none” in the server line, IMAP client doesn’t require to perform SSL handshake get the banner without SSL handshake .

“check ssl verify none”:
root@t2-ngvm-proxy-au1 ~]# telnet 0 50443
Trying 0.0.0.0…
Connected to 0.
Escape character is ‘^]’.

  • OK IMAP4 proxy ready (Multi Interface Supplementing Tunnel)

when i use “check verify none” (with out “ssl” string in the serve line) , IMAP client doesn’t get the banner and require to perform SSL handshake (as expected).

“check verify none” (with out ssl string in the server line):
[root@t2-ngvm-proxy-au1 ~]# telnet 0 50443
Trying 0.0.0.0…
Connected to 0.
Escape character is ‘^]’.

My questions are:
1.Which configuration is the proper one for my needs ?(seems like with out ssl string in the server line)
2.when using “check verify none” (with out “ssl” string in the serve line) , does HAProxy
still check SSL (healthcheck) and banner toward the back-end servers ?

see the configuration below:

listen HAProxy_VVM
log global
option tcplog
mode tcp
bind :50443 name S_SSL
balance roundrobin
option tcp-check
tcp-check connect port 50443 ssl
tcp-check expect string *\ OK
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000
server T004-vi-cas-au1 10.45.156.252 check verify none inter 30000
server T004-vi-cas-au2 10.45.156.253 check verify none inter 30000

Thanks !


#2

What you need is “check-ssl”, not “check ssl”:
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#check-ssl


#3

Thanks a lot !
I will test it as it seems works good now.


#4

Hi,
after configure in teh server line “check-ssl” i noticed the following:

  1. IMAP client required to implement SSL handshake before the imap session (expected
    result)
  2. HAPProxy stop monitoring (health-check) backend servers (not excepted result)
    Not SSL health-check
    Not banner health-check

see the configuration below:

listen HAProxy_VVM
log global
option tcplog
mode tcp
bind :50443 name S_SSL
balance roundrobin
option tcp-check
tcp-check connect port 50443 ssl
tcp-check expect string *\ OK
maxconn 90096
timeout client 600000
timeout server 60000
timeout connect 5000
server T004-vi-cas-au1 10.45.156.252 check-ssl verify none inter 30000
server T004-vi-cas-au2 10.45.156.253 check-ssl verify none inter 30000


#5

Indeed you are already declaring the ssl keyword in the “tcp-check” directive, so check-ssl is not needed. Just using “check” is the correct configuration then.

You don’t use the ssl keyword anywhere in the configuration except as keyword for tcp-check.

Whatever the TCP payload, it will transparently be passed to the backend server.

Careful: this configuration is for IMAPS (Port 993) - and IMAPS does not have an unencrypted imap banner.
IMAP with StartTLS is something entirely different, and DOES NOT require ssl for health checks.


#6

Thank you for the clear and comprehensive answer !
Now after the configuration both IMAP client and HAProxy health-check function as expected
Thanks