TLS 1.3 strict configuration

Help!
1

I am trying to configure my HAProxy such that my clients strictly use TLS 1.3 , for that I am using ssl-min-ver however client negotiation with HAProxy is still failing for TLS 1.3 yet allowing ito proceed with TLS 1.2, how do I configure such that TLS 1.3 clients fails the request ?

MicrosoftTeams-image
MicrosoftTeams-image1499×984 66.2 KB

2

No, the log clearly shows that TLSv1.3 is negotiated and used.

Please try to use text instead of screenshots, so we can directly quote.

3

@lukastribus below are more details. Let me know if you have follow up questions:-

image
image821×253 8.68 KB

(1)This should have failed to connect to the application with the strict tls 1.3 configuration

$ curl https://XYZ.azure.com:443 --cacert cert.pem -tlsv1.2 -v

  • Trying XX.XX.XX.XXX:443…

  • Connected to XYZ.azure.com (XX.XX.XX.XXX) port 443 (#0)

  • ALPN, offering h2

  • ALPN, offering http/1.1

  • CAfile: cert.pem

  • CApath: certs

  • TLSv1.0 (OUT), TLS header, Certificate Status (22):

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):

  • TLSv1.2 (IN), TLS header, Certificate Status (22):

  • TLSv1.3 (IN), TLS handshake, Server hello (2):

  • TLSv1.2 (IN), TLS header, Finished (20):

  • TLSv1.2 (IN), TLS header, Supplemental data (23):

  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

  • TLSv1.2 (IN), TLS header, Supplemental data (23):

  • TLSv1.3 (IN), TLS handshake, Certificate (11):

  • TLSv1.2 (IN), TLS header, Supplemental data (23):

  • TLSv1.3 (IN), TLS handshake, CERT verify (15):

  • TLSv1.2 (IN), TLS header, Supplemental data (23):

  • TLSv1.3 (IN), TLS handshake, Finished (20):

  • TLSv1.2 (OUT), TLS header, Finished (20):

  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

  • TLSv1.3 (OUT), TLS handshake, Finished (20):

  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

  • ALPN, server did not agree to a protocol

  • Server certificate:

  • subject: C=XX; ST=XX; O=XX; OU=XYZ.azure.com; CN=XYZ.azure.com

  • start date: Jul 31 06:47:12 2023 GMT

  • expire date: Jul 30 06:47:12 2024 GMT

  • subjectAltName: host “XYZ.azure.com” matched cert’s “XYZ.azure.com

  • issuer: C=XX; ST=XX; L=XX; O=XX; OU=XX; CN=XX

  • SSL certificate verify ok.

  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

GET / HTTP/1.1

Host: XYZ.azure.com

User-Agent: curl/7.81.0

Accept: /

  • TLSv1.2 (IN), TLS header, Supplemental data (23):

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

  • TLSv1.2 (IN), TLS header, Supplemental data (23):

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

  • old SSL session ID is stale, removing

  • TLSv1.2 (IN), TLS header, Supplemental data (23):

  • Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< content-type: text/html; charset=utf-8

< date: Thu, 24 Aug 2023 10:30:30 GMT

< server: Kestrel

< cache-control: no-cache, no-store

< pragma: no-cache

< set-cookie: .AspNetCore.Antiforgery.lXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; path=/; samesite=strict; httponly

< transfer-encoding: chunked

< strict-transport-security: max-age=2592000

< x-frame-options: SAMEORIGIN

< connection: close

<

-----------------------------------------------------------------

(2) haProxy config setting:

frontend XYZ

bind *:443 ssl crt XYZ.pem ssl-min-ver TLSv1.3

http-request redirect scheme https unless { ssl_fc }

mode http

default_backend App1

4

You are wrong, curl --tlsv1.2 doesn’t force TLSv1.2, it forces tlsv1.2 or later which is why TLSv1.3 is successfully negotiated, as you see from the curl output:

SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

Please read the curl man page:

https://curl.se/docs/manpage.html#--tlsv12

–tlsv1.2
(TLS) Forces curl to use TLS version 1.2 or later when connecting to a remote TLS server.