TLS 1.0 enabling

Help!
1

Good morning,

Has functionality changed from 1.9 to 2.0, in terms of TLS 1.0? Does it need to be explicitly added in the config now? If I switch to 2.0 on my exchange load balancer, our W7 Outlook 2016 clients stop as it relies on TLS 1.0.

Thanks

James

2

No, it has not changed.

I suggest you provide the configuration, logs and the output of haproxy -vv from both 1.9 and 2.0.

3

1.9:

HA-Proxy version 1.9.7 2019/04/25 - https://haproxy.org/
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_ZLIB=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE
h2 : mode=HTTP side=FE
: mode=HTX side=FE|BE
: mode=TCP|HTTP side=FE|BE

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
2.0:
HA-Proxy version 2.0.3 2019/07/23 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE=1 USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
: mode=HTX side=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

I am using the same config for both:

defaults
option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection failure
option contstats # Enable continuous traffic statistics updates
retries 3 # Try to connect up to 3 times in case of failure
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 1s # 1 second max for the client to post next request
timeout http-request 15s # 15 seconds max for the client to send a request
timeout queue 30s # 30 seconds max queued on load balancer
timeout tarpit 1m # tarpit hold tim
backlog 10000 # Size of SYN backlog queue
balance roundrobin #alctl: load balancing algorithm
mode tcp #alctl: protocol analyser
option tcplog #alctl: log format
log global #alctl: log activation
timeout client 1000s #alctl: client inactivity timeout
timeout server 1000s #alctl: server inactivity timeout
default-server inter 3s rise 2 fall 3 #alctl: default check parameters

listen stats
bind :9000
mode http
stats enable
stats hide-version
stats uri /
stats refresh 30s
stats show-node

frontend ft_443exchange_tcp
bind 192.168.100.47:443 name https #alctl: listener https configuration.
maxconn 10000 #alctl: connection max (depends on capacity)
default_backend bk_443exchange_tcp #alctl: default farm to use
backend bk_443exchange_tcp
server EX02 192.168.100.28:443 maxconn 10000 check
server EX03 192.168.100.15:443 maxconn 10000 check
frontend ft_80exchange_tcp
bind 192.168.100.47:80 name https #alctl: listener https configuration.
maxconn 10000 #alctl: connection max (depends on capacity)
default_backend bk_80exchange_tcp #alctl: default farm to use
backend bk_80exchange_tcp
server EX02 192.168.100.28:80 maxconn 10000 check
server EX03 192.168.100.15:80 maxconn 10000 check
frontend ft_25exchange_tcp
bind 192.168.100.47:25 name smtp #alctl: listener https configuration.
maxconn 10000 #alctl: connection max (depends on capacity)
acl network_allowed src 192.168.100.0/24 192.168.200.0/24 192.168.3.0/24 192.168.2.0/24 207.46.100.0/24 134.170.132.0/24 52.100.0.0/14 40.107.128.0/18 40.107.0.0/17 23.103.212.0/22 23.10$
tcp-request connection reject if !network_allowed
use_backend bk_25exchange_tcp
backend bk_25exchange_tcp
server EX02 192.168.100.28:25 maxconn 10000 check
server EX03 192.168.100.15:25 maxconn 10000 check

4

How do you come to the conclusion that this is about TLSv1.0?

Are you aware of TLS handshake failures with those clients?

Again, please do share the logs.

5

Hi Lukas,

My conclusion is not scientific or log based at all, just from knowing how my system works. When we are running 1.9, W7 and W10 Outlook 2016 clients work, when we switch over to 2.0, all the W7 clients stop but the W10 keep going. The only difference I can find is that older W7 clients connect to Exchange via TLS1.0 and newer clients use a newer version.

I will do some more testing and update, if nothing has changed and TLS1.0 should be allowed as default as before, then I need to do more of a deep dive into it with some wiresharking.

There is also a Windows 7 hotfix/update that forces higher TLS, so I may push this out to some clients and see if a switch to 2.0 affects them afterwards.

Thanks for the help so far, great product.

James