HAProxy community

What is the SSL implementation used in HAProxy?


#1

Which SSL implementation is used in HAProxy? Did HAProxy develop its own SSL stack for protocol, Ciphers, and other stuff? I found references to OpenSSL in manual. What role does OpenSSL play in the HAProxy’s SSL stack?


#2

Haproxy uses OpenSSL for everything SSL related, it does not implement a dedicated SSL stack.


#3

Hello Luka,

The cipher suite that is supported by openssl 1.02k is
ECDHE-ECDSA-AES128-SHA256

However, when I try to query as below
echo | openssl s_client -connect IPADDR:443 -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
139733430040392:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40
139733430040392:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

How do fix this error.
Any hints for the same??

Thanks,
Divakar


#4

The commands were:

openssl ecparam -name secp256r1 -out ec_privkey.pem -genkey
openssl req -new -key ec_privkey.pem -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey ec_privkey.pem -out server.crt


#5

secp256r1 is an unusual certificate curve. I suggest you use prime256v1 instead, which everyone is using for ECC certificates.

Also share your configuration and the ouput of haproxy -vv.


#6

Hello Lukas,

Thanks for response. Still didnt improve. I had tried the same.

haproxy --vv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Usage : haproxy [-f <cfgfile|cfgdir>]* [ -vdVD ] [ -n ] [ -N ]
[ -p ] [ -m ] [ -C ] [-- ]
-v displays version ; -vv shows known build options.
-d enters debug mode ; -db only disables background mode.
-dM[] poisons memory with (defaults to 0x50)
-V enters verbose mode (disables quiet mode)
-D goes daemon ; -C changes to before loading files.
-q quiet mode : don’t display messages
-c check mode : only check config files and exit
-n sets the maximum total # of connections (2000)
-m limits the usable amount of memory (in MB)
-N sets the default, per-proxy maximum # of connections (2000)
-L set local peer name (default to hostname)
-p writes pids of all children to this file
-dp disables poll() usage even when available
-dR disables SO_REUSEPORT usage
-dr ignores server address resolution failures
-dV disables SSL verify on servers side
-sf/-st [pid ]
finishes/terminates old pids.

MainView@~/TRY/ECDSA $echo | openssl s_client -connect IPADDRESS:443 -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
140046575064904:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40
140046575064904:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1513729047
Timeout : 7200 (sec)
Verify return code: 0 (ok)

in my haproxy config file, i havent set any default cipher list.

global

defaults
timeout connect 10000ms
timeout client 60000ms
timeout server 60000ms

Create certificate is as below:

Generating CA Certificate

if [ -f “ca.crt” ]
then
echo -e "\n CA Certificate already exist \n"
else
#openssl ecparam -list_curves
openssl ecparam -genkey -name prime256v1 -out ca.key
openssl req -x509 -new -sha256 -nodes -key ca.key -days $validity -out ca.crt -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$caname/emailAddress=$email"
fi

Generating Local Certificate

#openssl ecparam -list_curves
openssl ecparam -genkey -name prime256v1 -out local.key
openssl req -new -key local.key -nodes -out local.csr -passin pass:$password -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
openssl ec -in local.key -text
openssl x509 -req -days $validity -sha256 -in local.csr -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -out local.crt

local cert not containing the CA chain

cat local.crt >> localcertchain.pem
openssl pkcs12 -export -password pass:$password -inkey local.key -in localcertchain.pem -out $localcertfile

Am I doing anything wrong??


#7

Hello Luca,
I have tried already this one and no change in behaviour.

haproxy --vv
HA-Proxy version 1.7.9 2017/08/18

haproxy config file

global

defaults
timeout connect 10000ms
timeout client 60000ms
timeout server 60000ms

frontend fe_http2
mode tcp
bind *:8443 ssl ca-file /f0/base/haproxy/ca.pem crt /f0/base/haproxy/server.pem npn spdy/2 alpn h2,http/1.1
default_backend be_grpc

frontend fe_https
mode tcp
#pass thru to nginx. Nginx would handle the certificate.

bind *:443

bind 0.0.0.0:443
bind :::443
option tcplog
default_backend be_nginx_secure

frontend fe_http_in
#bind *:80
bind 0.0.0.0:80
bind :::80
default_backend be_nginx_insecure

gRPC server running on port 50051 only.

backend be_grpc
mode tcp
server srv01 localhost:50051

server srv02 *:50051

backend be_nginx_secure
mode tcp
option ssl-hello-chk
server srv01 localhost:4443
server srv02 ::1:4443

backend be_nginx_insecure
mode tcp
server srv01 localhost:20080
server srv02 ::1:20080

================================================================
Create certificate is as below:

Generating CA Certificate

if [ -f “ca.crt” ]
then
echo -e "\n CA Certificate already exist \n"
else
#openssl ecparam -list_curves
openssl ecparam -genkey -name prime256v1 -out ca.key
openssl req -x509 -new -sha256 -nodes -key ca.key -days $validity -out ca.crt -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$caname/emailAddress=$email"
echo -e "\n============================ CA Key ===================================="
openssl ec -in ca.key -text
echo -e "\n================================================================"
fi

Generating Local Certificate

#openssl ecparam -list_curves
openssl ecparam -genkey -name prime256v1 -out local.key
openssl req -new -key local.key -nodes -out local.csr -passin pass:$password -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
echo -e "\n============================ local Key ===================================="
openssl ec -in local.key -text
echo -e “\n================================================================”

Signing

V3 version

openssl x509 -req -days $validity -sha256 -in local.csr -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -out local.crt

local cert not containing the CA chain

cat local.crt >> localcertchain.pem
openssl pkcs12 -export -password pass:$password -inkey local.key -in localcertchain.pem -out $localcertfile


#8

You are not using haproxy SSL termination on port 443. You are transparently passing it to your nginx backend.

You are using SSL termination only on port 8443, which you are not accessing in your tests though.


#10

Please don’t hijack other threads. If you have a question, open a new thread. Thanks.