HAProxy community

Use different TLS versions

Hi!
I have the HAProxy working well but now, we noticed that an old app on one of the containers needs TLS 1.1 and I’m requiring 1.2 and minimum and I don’t want to degrade all the other apps to support the legacy.
Since I’m using TLS termination and I can’t bind 443 again, how can I support a different TLS version to a specific backend?
Thanks a lot!

When using OpenSSL 1.1.1, you can use the crt-list feature to configure TLS settings per certificate.

1 Like

Thanks @lukastribus for your help.
I added the crt-list.txt on the config file and, following the example on the docs, added a filter on the desired line:

/etc/ssl/haproxy/xpto.com.pem [ssl-min-ver TLSv1.1] xpto.com

It doesn’t seem to make a difference on this one, and it seems to mess up the following lines. Am I typing it incorrectly?
Thanks again!

Can you share the output of haproxy -vv? How does the certificate structure look like?

Not sure what that means? Mess up how?

with mess up I mean that it mixes certificates between different domains and a “Your connection is not secure” appears.
Here’s the -vv output:

ubuntu@haproxy:~$ haproxy -vv
HA-Proxy version 1.8.8-1ubuntu0.10 2020/04/03
Copyright 2000-2018 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/build/haproxy-RAYurj/haproxy-1.8.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

Thanks

Do I need to upgrade to haproxy 2+ to use crt-list?

No, this should be supported in haproxy-1.8 just fine.

Very strange that you get the wrong certificates served now. Can you share your haproxy configuration and give me a better picture about the certificates you are using, and which certificate is shown?

Is the wrong certificate the same one that is shown when you access the IP address of the haproxy in https?

Here’s the haproxy.conf (I only left one and renamed xpto since this a public thread):

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5s
timeout client 600s
timeout server 600s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend www_frontend
bind *:80
bind *:443 ssl crt-list /etc/haproxy/crt-list.txt

    acl host_xpto hdr(host) -i xpto.com

    use_backend xpto_servers if host_xpto

backend xpto_servers
http-request set-header X-Client-IP %[src]
server xpto xpto.lxd:80

Regarding the wrong certificate, yes, it is.
It uses the first on the crt-list.txt.

You don’t have to specify the snifilter, it’s optional and not needed in this case. I suggest you just try:

/etc/ssl/haproxy/xpto.com.pem [ssl-min-ver TLSv1.1]

in the crt-list.

1 Like

@lukastribus, you’re awesome.
Apparently the problem was related with the snifilter
Thanks you again for your help!

1 Like