HAProxy community

TLS1.3 is not enabled on Haproxy 2.0.3 with upgraded Openssl 1.1.1c- OS CentOS7

I dont see TLS 1.3 is enabled even after upgrading the openssl version to 1.1.1c
can you please suggest how to enable tls1.3 on Haproxy 2.0.3

Here is my Haproxy -vv
HA-Proxy version 2.0.3 2019/07/23 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE=1 USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_OPENSSL=1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=6).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
: mode=HTX side=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

SSLLabs out Put:

Haproxy was build against OpenSSL 1.0.2.

After upgrading OpenSSL, you need to rebuild Haproxy.

can you please provide me steps for rebuilding the haproxy? because i dont want to mess with my steps for recopling the haproxy with openssl

How did you upgrade openssl?

i followed the below link steps for upgrading the openssl

Once I upgrade the openssl, do i need to complie the HAproxy?

while upgrading the openssl, do i need to uninstall the olderversion and install the latest one? or can i overwrite on top of it. Whats the suggestion step for upgrading openssl?

You should have read INSTALL instead, which I told you earlier, it addresses your exact problems, explaining howto build openssl and haproxy, without installing and impacting your system.

Here is the exact link to line 240 of the INSTALL document, please read it carefully and follow it, instead of blog posts on the Internet:

http://git.haproxy.org/?p=haproxy-2.0.git;a=blob;f=INSTALL;h=d6d786b08894bfae21383fa6a3fcf3bd63c082b1;hb=HEAD#l240

Does CentOS7 really supports TLS1.3 protocol, with Haproxy installed

Not by default, which is why building both openssl and haproxy is necessary.

I followed the same steps as per the INSTALL… still dont see the TLS1.3 is enabled for openssl 1.1.1c and haproxy2.0.3

wasting my time on this…

Yeah, mine too.

I told you to use CentOS 7 so you would not have to recompile openssl and haproxy yourself for your IE8 issue. You could have just recompiled openssl on your original OS instead, if you where gonna do that anyway.

The procedure works just fine in CentOS 7, I did include pthread and dl libs to make the haproxy build go through (adding ADDLIB="-ldl -lpthread" to the make line):

[lukas@localhost ~] $ wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz
[lukas@localhost ~] $ tar -xzf openssl-1.1.1c.tar.gz
[lukas@localhost ~] $ cd openssl-1.1.1c
[lukas@localhost openssl-1.1.1c] $ 
[lukas@localhost openssl-1.1.1c] $ export STATICLIBSSL=/tmp/staticlibssl
[lukas@localhost openssl-1.1.1c] $ ./config --prefix=$STATICLIBSSL no-shared
[lukas@localhost openssl-1.1.1c] $ make && make install_sw
[...]
[lukas@localhost openssl-1.1.1c] cd ~
[lukas@localhost ~] $ wget http://www.haproxy.org/download/2.0/src/haproxy-2.0.4.tar.gz
[lukas@localhost ~] $ tar -xzf haproxy-2.0.4.tar.gz
[lukas@localhost ~] $ cd haproxy-2.0.4
[lukas@localhost haproxy-2.0.4] $ make TARGET=generic USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB="-ldl -lpthread"
[...]
[lukas@localhost haproxy-2.0.4] $ ./haproxy -vv  | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.1.1c  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c  28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
[lukas@localhost haproxy-2.0.4] $

If you need your weak IE8 ciphers, don’t forget to configure your openssl build with enable-weak-ssl-ciphers.

Hurreyyyyyy… finally TLS1.3 is enabled . Thank you very much.
Now i have to make sure my IE8ciphers works

./haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

so how to configure openssl build enable-weak-ssl-ciphers ?

what would be the exact command for it? is it something like this
./config --prefix=$STATICLIBSSL $enable-weak-ssl-ciphers no-shared

Without the dollar sign, it’s an option just like no-shared:

./config --prefix=$STATICLIBSSL enable-weak-ssl-ciphers no-shared

Don’t forget to make clean in both openssl and haproxy source directories before reconfiguring/rebuilding.

Thank you for your help everything looks fine !!

Ok, cool.

But you have to remember that you will need to go through this procedure every time OpenSSL publishes a new release with security bugfixes.

You cannot just apt-get upgrade or yum update anymore, as that won’t touch your local openssl and haproxy build.

Okay sure, one last question, what would be the best approach for downgrading the Haproxy version?

Just use the same procedure with older source code. But make sure that you remove obsolete and update init.d scripts / systemd unit files.