HAProxy community

TLS1.3 not operating in V1.8.14


#1

Hi All,

Hope I am not doing anything daft, but seems that I cannot get TLS1.3 to work in a self-compiled version of HAProxy 1.8.14 (with static OpenSSL 1.1.1)

When I try link using a browser, I just get TLS1.2 reported.
Sure enough, when I run nmap --script ssl-enum-ciphers I get;

443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

         compressors:
             NULL
         cipher preference: server

I also tried adding the force-tlsv13 directive, and then re-ran the above, result being that no ciphers were offered, which I think demonstrates that the TLS1.3 ciphers are not being selected.

A rough (redacted) version of the config I am running is as follows;

global
maxconn 4096
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

frontend gateway-main-secure-frontend
bind LBVIP:443 ssl crt /etc/haproxy/certs

Here’s the version dump:

haproxy -vv
HA-Proxy version 1.8.14-52e4d43 2018/09/20
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-format-truncation -Wno-null-dereference -Wno-unused-label
OPTIONS = USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_STATIC_PCRE2=1 USE_PCRE2_JIT=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.31 2018-02-12
PCRE2 library supports JIT : yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity(“identity”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

And here is my build options;

sudo ./config --prefix=/blah/openssl/1.1.1/target --openssldir=/blah/openssl/1.1.1/target no-shared no-ssl2 no-ssl3 no-weak-ssl-ciphers
sudo make
sudo make install

sudo make clean
sudo make TARGET=linux2628 USE_OPENSSL=1 SSL_LIB=/blah/openssl/1.1.1/target/lib SSL_INC=/blah/openssl/1.1.1/target/include ADDLIB=-lpthread USE_STATIC_PCRE2=1 USE_PCRE2_JIT=1 PCRE2_LIB=/blah/pcre2/10.31/target/lib PCRE2_INC=/blah/pcre2/10.31/target/include USE_LUA=1 USE_SYSTEMD=1
sudo make install

Any ideas what I might be doing wrong? Thanks in advance


#2

Build looks fine, the configuration is not completely correct, in that there are no ciphers like “TLS13-AES-256-GCM-SHA384” (please see man 1 ciphers), and also, you cannot specify them with the ciphers or ssl-default-bind-ciphers keyword, as they are only for TLSv1.2 and below.

However, OpenSSL has the default TLSv1.3 ciphersuites:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

which works just fine.

What exact browser, in what release and on what OS? Only Chrome 70 currently supports TLSv1.3, Firefox has yet to release v63 with TLSv1.3 support. Note that pre-standard draft implementations are not compatible with OpenSSL 1.1.1. So just because it works with Cloudflare, doesn’t mean it will work with OpenSSL. Also you may have TLS intercepting middleboxes in between the server and you, so watch out for that.

I suggest you run the openssl 1.1.1 client locally (not crossing any networks, not using any browsers):

/blah/openssl/1.1.1/target/bin/openssl s_client -connect <hostname>:443 -servername <hostname>

Haproxy v1.8.15 will introduce support for the new OpenSSL API to configure TLSv1.3 ciphersuites, you can check the documentation here: ssl-default-bind-ciphersuites.

If you want to test this now, you can grab the current 1.8 snapshot (which is unreleased, but still a stable branch, so it’s not like you are using a bleeding edge development tree):
http://www.haproxy.org/download/1.8/src/snapshot/haproxy-ss-20181017.tar.gz

However, that is not your problem. Likely your test tools miss support of the (real, standardized) TLSv1.3.


#3

“Likely your test tools miss support of the (real, standardized) TLSv1.3.”

Doh (slaps head…) - I’m sorry to waste your time. That is exactly what it was. So I recognised that indeed in Chrome 70 there is some TLS1.3 activity going on there. Mainly, once I had gotten OpenSSL as a standalone client working at 1.1.1, then all was revealed.
Coincidentally, Firefox 63 went to general release yesterday I think, and as you had stated, the full TLS1.3 implementation is there, and I can see that now reflected in the protocol negotiation.
I will however look at 1.8.15 - I did see a note about the control of the ciphers being made available separately…
Thanks for giving me the sense check… appreciated!

Best Regards

Andy