What does the warning "SSLv3 support requested but unavailable" mean?


#1

In my newly configured docker container (definition here)

I am noticing a strange error when I run haproxy -vv

 haproxy -vv
[ALERT] 344/060406 (10) : SSLv3 support requested but unavailable.
HA-Proxy version 1.6.2 2015/11/03
Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=yes USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015
Running on OpenSSL version : OpenSSL 1.0.2d 9 Jul 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.35 2014-04-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

I can see the warning originates from:

	if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
#ifndef OPENSSL_NO_SSL3
		SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
#else
		Alert("SSLv3 support requested but unavailable.\n");
		cfgerr++;
#endif
	}

I can see this blog about SSL v3

http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/

Is the issue simply that I should be compiling with OPENSSL_NO_SSL3 ?


#2

Hi Sam -

This is related to the lua support forcing an SSLv3 socket, which doesn’t work on linux distros that don’t ship with SSLv3 support. This bug is fixed upstream:

Hope that helps!

  • Andrew