Thousands of 'SSL Handshake Failures' logged - tcp-keepalive issue?

Running HA-Proxy version 2.0.25-1ppa1~xenial on Ubuntu 16.04.7 LTS

We are seeing a large amount of “Connection closed during SSL handshake” messages logged - 25% of messages logged.

I ran tshark to capture traffic. From investigating 1 affected IP my findings were:

• The log message “Connection closed during SSL handshake” occurs when there is no handshake in progress.
• There are no handshake attempts prior to the error (at least in my capture window).
• Later HTTPS connections/handshakes from the affected IP to the server are successful.
• The message in the log seems to coincide with a TCP-KEEPALIVE message from the client. The tcp-keepalive is sent to port 443.

I have a basic theory that the TCP-KEEPALIVE messages are being logged as Connection closed during SSL handshake

I’ve had a look at the haproxy source code specifically file ssl_sock.c. Please let me know if I’m barking up the wrong tree.

1. A query to openssl SSL_Get_state returns a state of TLS_ST_BEFORE (Means no handshake messages have yet been been sent or received.).
2. empty_handshake is set empty_handshake = state == TLS_ST_BEFORE;
3. There is an if statement:

   	if (!errno) {
   		if (ctx->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
   			conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
   		else
   			conn->err_code = CO_ER_SSL_EMPTY;
   	}
   

4. CO_ER_SSL_EMPTY is used in a case statement to set the error:
   case CO_ER_SSL_EMPTY: return "Connection closed during SSL handshake";

Any help on the issue and my “off on a tangent” theory would be gratefully received!

JD

For this kind of development related question I suggest the mailing list (no need to subscribe): haproxy@formilux.org

Thanks @lukastribus - I’m not sure if it is actually a development issue but I’ll ask in that mailing list thanks. It would be interesting to see if anyone else has experienced the same or similar symptoms (ignoring what I think it may be).