Terminating opportunistic TLS (STARTTLS)

nem · April 2, 2019, 3:45am

Most of the examples I’m finding are terminating an explicit SSL stream or HTTP proxies. I’m able to terminate SMTPS/IMAPS/POP3S no problem, but running into difficulty with switching backends when SSL is negotiated via STARTTLS.

First, is it even possible for haproxy to change its backend during communication if req_ssl_hello_type is present?

If so, then is this a pipe dream? Read data on *:143, connect to the normal unencrypted backend (127.0.0.1:1430), then when req_ssl_hello_type comes across the wire, redirect the stream to *:993, which is another haproxy frontend with SNI support to terminate SSL, then send that to 127.0.0.1:1430.

This old posting for Exchange 2010 hints I’m chasing something unattainable.

lukastribus · April 2, 2019, 8:48pm

No, because this is negotiated at application layer which means haproxy would actually have to implement at least a part of the handshake of every single one of those protocols.

No, because there would already have been a POP/IMAP/SMTP handshake with some other backend.

For this to work haproxy would have to intercept the handshake of all those protocols and insert a STARTTLS negotiation.

nem · April 3, 2019, 8:56pm

Oh bummer. Thanks for answering my questions!

Topic		Replies	Views
REQ_SSL_SNI and SSL termination Help!	2	9713	March 19, 2018
Trying to re-establish SSL for connection to TCP backend Help!	1	1283	February 22, 2016
Setting up imaps with haproxy and local certs? Help!	2	1010	February 23, 2023
Backend redirecting https-termination to http Help!	0	825	July 20, 2021
TLS Termination Help!	9	1886	July 30, 2018

Terminating opportunistic TLS (STARTTLS)

Related topics