TLS1.3 is not enabled on Haproxy 2.0.3 with upgraded Openssl 1.1.1c- OS CentOS7

I dont see TLS 1.3 is enabled even after upgrading the openssl version to 1.1.1c
can you please suggest how to enable tls1.3 on Haproxy 2.0.3

Here is my Haproxy -vv
HA-Proxy version 2.0.3 2019/07/23 - https://haproxy.org/
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits
OPTIONS = USE_PCRE=1 USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_OPENSSL=1 USE_ZLIB=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=6).
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTX side=FE|BE mux=H2
h2 : mode=HTTP side=FE mux=H2
: mode=HTX side=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

SSLLabs out Put:

image.png958×242 3.37 KB

Haproxy was build against OpenSSL 1.0.2.

After upgrading OpenSSL, you need to rebuild Haproxy.

can you please provide me steps for rebuilding the haproxy? because i dont want to mess with my steps for recopling the haproxy with openssl

How did you upgrade openssl?

i followed the below link steps for upgrading the openssl

Once I upgrade the openssl, do i need to complie the HAproxy?

while upgrading the openssl, do i need to uninstall the olderversion and install the latest one? or can i overwrite on top of it. Whats the suggestion step for upgrading openssl?

You should have read INSTALL instead, which I told you earlier, it addresses your exact problems, explaining howto build openssl and haproxy, without installing and impacting your system.

Here is the exact link to line 240 of the INSTALL document, please read it carefully and follow it, instead of blog posts on the Internet:

http://git.haproxy.org/?p=haproxy-2.0.git;a=blob;f=INSTALL;h=d6d786b08894bfae21383fa6a3fcf3bd63c082b1;hb=HEAD#l240

Does CentOS7 really supports TLS1.3 protocol, with Haproxy installed

Not by default, which is why building both openssl and haproxy is necessary.

I followed the same steps as per the INSTALL… still dont see the TLS1.3 is enabled for openssl 1.1.1c and haproxy2.0.3

wasting my time on this…

Yeah, mine too.

I told you to use CentOS 7 so you would not have to recompile openssl and haproxy yourself for your IE8 issue. You could have just recompiled openssl on your original OS instead, if you where gonna do that anyway.

The procedure works just fine in CentOS 7, I did include pthread and dl libs to make the haproxy build go through (adding ADDLIB="-ldl -lpthread" to the make line):

[lukas@localhost ~] $ wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz
[lukas@localhost ~] $ tar -xzf openssl-1.1.1c.tar.gz
[lukas@localhost ~] $ cd openssl-1.1.1c
[lukas@localhost openssl-1.1.1c] $ 
[lukas@localhost openssl-1.1.1c] $ export STATICLIBSSL=/tmp/staticlibssl
[lukas@localhost openssl-1.1.1c] $ ./config --prefix=$STATICLIBSSL no-shared
[lukas@localhost openssl-1.1.1c] $ make && make install_sw
[...]
[lukas@localhost openssl-1.1.1c] cd ~
[lukas@localhost ~] $ wget http://www.haproxy.org/download/2.0/src/haproxy-2.0.4.tar.gz
[lukas@localhost ~] $ tar -xzf haproxy-2.0.4.tar.gz
[lukas@localhost ~] $ cd haproxy-2.0.4
[lukas@localhost haproxy-2.0.4] $ make TARGET=generic USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB="-ldl -lpthread"
[...]
[lukas@localhost haproxy-2.0.4] $ ./haproxy -vv  | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.1.1c  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c  28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
[lukas@localhost haproxy-2.0.4] $

If you need your weak IE8 ciphers, don’t forget to configure your openssl build with enable-weak-ssl-ciphers.

Hurreyyyyyy… finally TLS1.3 is enabled . Thank you very much.
Now i have to make sure my IE8ciphers works

./haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

so how to configure openssl build enable-weak-ssl-ciphers ?

what would be the exact command for it? is it something like this
./config --prefix=$STATICLIBSSL $enable-weak-ssl-ciphers no-shared

Without the dollar sign, it’s an option just like no-shared:

./config --prefix=$STATICLIBSSL enable-weak-ssl-ciphers no-shared

Don’t forget to make clean in both openssl and haproxy source directories before reconfiguring/rebuilding.

Thank you for your help everything looks fine !!

Ok, cool.

But you have to remember that you will need to go through this procedure every time OpenSSL publishes a new release with security bugfixes.

You cannot just apt-get upgrade or yum update anymore, as that won’t touch your local openssl and haproxy build.

Okay sure, one last question, what would be the best approach for downgrading the Haproxy version?

Just use the same procedure with older source code. But make sure that you remove obsolete and update init.d scripts / systemd unit files.

Sorry to revive this old topic, but I would like to simplify the process for getting TLS1.3 on CentOS 7 in a manner, that is more sustainable in operations.

The EPEL repository allows to install openssl 1.1.1 in parallel to the existing version.

yum install epel-release  
yum install openssl11

I would like to compile haproxy to dynamically (not statically) link to the shared library. Of course, when openssl11 is updated to a more recent version, I expect haproxy to not break.

Has anybody tried that already, and is it even possible to dynamically link to an alternative version of openssl, when compiling haproxy?

It installs to the following path:
/usr/bin/openssl11

Does this make sense to anyone?

I may not be very good at compiling things, but I found a way to compile a working haproxy, linking dynamically to openssl11.
However, I am not sure if my solution will be stable on the next yum update of openssl11, because I had to manually create symlinks in /usr/lib64/. Otherwise, ld would fail to find the openssl11 shared library.

This is how I made it work:

yum install epel-release
yum install openssl11 openssl11-devel
yum remove openssl-devel
cd /usr/lib64/
ln -s libcrypto.so.1.1 libcrypto.so
ln -s libssl.so.1.1 libssl.so
cd /tmp/my_haproxy_build_directory/
make TARGET=generic USE_OPENSSL=1 SSL_LIB=/bin/openssl11 SSL_INC=/usr/include/openssl11

The resulting haproxy binary will display as:

# haproxy -vv | egrep 'HA-Proxy version|Running on:|OpenSSL'
HA-Proxy version 2.2.8-7bf78d7 2021/01/13 - https://haproxy.org/
Running on: Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Fri Dec 18 16:34:56 UTC 2020 x86_64
Built with OpenSSL version : OpenSSL 1.1.1g FIPS  21 Apr 2020
Running on OpenSSL version : OpenSSL 1.1.1g FIPS  21 Apr 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

Notice, without the symlinks, compilation will error out as follows:

  LD      haproxy
/bin/ld: cannot find -lssl
/bin/ld: cannot find -lcrypto
collect2: error: ld returned 1 exit status
make: *** [haproxy] Error 1

The linker just doesn’t seem to find the library:

ld -lssl --verbose
[...]
==================================================
attempt to open //usr/x86_64-redhat-linux/lib64/libssl.so failed
attempt to open //usr/x86_64-redhat-linux/lib64/libssl.a failed
attempt to open //usr/lib64/libssl.so failed
attempt to open //usr/lib64/libssl.a failed
attempt to open //usr/local/lib64/libssl.so failed
attempt to open //usr/local/lib64/libssl.a failed
attempt to open //lib64/libssl.so failed
attempt to open //lib64/libssl.a failed
attempt to open //usr/x86_64-redhat-linux/lib/libssl.so failed
attempt to open //usr/x86_64-redhat-linux/lib/libssl.a failed
attempt to open //usr/local/lib/libssl.so failed
attempt to open //usr/local/lib/libssl.a failed
attempt to open //lib/libssl.so failed
attempt to open //lib/libssl.a failed
attempt to open //usr/lib/libssl.so failed
attempt to open //usr/lib/libssl.a failed
ld: cannot find -lssl

Is there way to tell the linker to look for other names (i.e. libssl.so.1.1 and libcrypto.so.1.1) in order to obsolete the nasty manual symlinks?

And does anyone know if this way to compile haproxy will be resilient to future yum updates?

Thanks, Toni