I am trying to configure my HAProxy such that my clients strictly use TLS 1.3 , for that I am using ssl-min-ver however client negotiation with HAProxy is still failing for TLS 1.3 yet allowing ito proceed with TLS 1.2, how do I configure such that TLS 1.3 clients fails the request ?
No, the log clearly shows that TLSv1.3 is negotiated and used.
Please try to use text instead of screenshots, so we can directly quote.
@lukastribus below are more details. Let me know if you have follow up questions:-
(1)This should have failed to connect to the application with the strict tls 1.3 configuration
$ curl https://XYZ.azure.com:443 --cacert cert.pem -tlsv1.2 -v
-
Trying XX.XX.XX.XXX:443…
-
Connected to XYZ.azure.com (XX.XX.XX.XXX) port 443 (#0)
-
ALPN, offering h2
-
ALPN, offering http/1.1
-
CAfile: cert.pem
-
CApath: certs
-
TLSv1.0 (OUT), TLS header, Certificate Status (22):
-
TLSv1.3 (OUT), TLS handshake, Client hello (1):
-
TLSv1.2 (IN), TLS header, Certificate Status (22):
-
TLSv1.3 (IN), TLS handshake, Server hello (2):
-
TLSv1.2 (IN), TLS header, Finished (20):
-
TLSv1.2 (IN), TLS header, Supplemental data (23):
-
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
-
TLSv1.2 (IN), TLS header, Supplemental data (23):
-
TLSv1.3 (IN), TLS handshake, Certificate (11):
-
TLSv1.2 (IN), TLS header, Supplemental data (23):
-
TLSv1.3 (IN), TLS handshake, CERT verify (15):
-
TLSv1.2 (IN), TLS header, Supplemental data (23):
-
TLSv1.3 (IN), TLS handshake, Finished (20):
-
TLSv1.2 (OUT), TLS header, Finished (20):
-
TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
-
TLSv1.2 (OUT), TLS header, Supplemental data (23):
-
TLSv1.3 (OUT), TLS handshake, Finished (20):
-
SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
-
ALPN, server did not agree to a protocol
-
Server certificate:
-
subject: C=XX; ST=XX; O=XX; OU=XYZ.azure.com; CN=XYZ.azure.com
-
start date: Jul 31 06:47:12 2023 GMT
-
expire date: Jul 30 06:47:12 2024 GMT
-
subjectAltName: host “XYZ.azure.com” matched cert’s “XYZ.azure.com”
-
issuer: C=XX; ST=XX; L=XX; O=XX; OU=XX; CN=XX
-
SSL certificate verify ok.
-
TLSv1.2 (OUT), TLS header, Supplemental data (23):
GET / HTTP/1.1
Host: XYZ.azure.com
User-Agent: curl/7.81.0
Accept: /
-
TLSv1.2 (IN), TLS header, Supplemental data (23):
-
TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-
TLSv1.2 (IN), TLS header, Supplemental data (23):
-
TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-
old SSL session ID is stale, removing
-
TLSv1.2 (IN), TLS header, Supplemental data (23):
-
Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-type: text/html; charset=utf-8
< date: Thu, 24 Aug 2023 10:30:30 GMT
< server: Kestrel
< cache-control: no-cache, no-store
< pragma: no-cache
< set-cookie: .AspNetCore.Antiforgery.lXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; path=/; samesite=strict; httponly
< transfer-encoding: chunked
< strict-transport-security: max-age=2592000
< x-frame-options: SAMEORIGIN
< connection: close
<
-----------------------------------------------------------------(2) haProxy config setting:
frontend XYZ
bind *:443 ssl crt XYZ.pem ssl-min-ver TLSv1.3
http-request redirect scheme https unless { ssl_fc }
mode http
default_backend App1
You are wrong, curl --tlsv1.2
doesn’t force TLSv1.2, it forces tlsv1.2 or later which is why TLSv1.3 is successfully negotiated, as you see from the curl output:
SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
Please read the curl man page:
https://curl.se/docs/manpage.html#--tlsv12
–tlsv1.2
(TLS) Forces curl to use TLS version 1.2 or later when connecting to a remote TLS server.