What is the SSL implementation used in HAProxy?


#1

Which SSL implementation is used in HAProxy? Did HAProxy develop its own SSL stack for protocol, Ciphers, and other stuff? I found references to OpenSSL in manual. What role does OpenSSL play in the HAProxy’s SSL stack?


#2

Haproxy uses OpenSSL for everything SSL related, it does not implement a dedicated SSL stack.


#3

Hello Luka,

The cipher suite that is supported by openssl 1.02k is
ECDHE-ECDSA-AES128-SHA256

However, when I try to query as below
echo | openssl s_client -connect IPADDR:443 -tls1_2 -cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
139733430040392:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40
139733430040392:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

How do fix this error.
Any hints for the same??

Thanks,
Divakar


#4

The commands were:

openssl ecparam -name secp256r1 -out ec_privkey.pem -genkey
openssl req -new -key ec_privkey.pem -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey ec_privkey.pem -out server.crt


#5

secp256r1 is an unusual certificate curve. I suggest you use prime256v1 instead, which everyone is using for ECC certificates.

Also share your configuration and the ouput of haproxy -vv.


#7

Hello Luca,
I have tried already this one and no change in behaviour.

haproxy --vv
HA-Proxy version 1.7.9 2017/08/18

haproxy config file

global

defaults
timeout connect 10000ms
timeout client 60000ms
timeout server 60000ms

frontend fe_http2
mode tcp
bind *:8443 ssl ca-file /f0/base/haproxy/ca.pem crt /f0/base/haproxy/server.pem npn spdy/2 alpn h2,http/1.1
default_backend be_grpc

frontend fe_https
mode tcp
#pass thru to nginx. Nginx would handle the certificate.

bind *:443

bind 0.0.0.0:443
bind :::443
option tcplog
default_backend be_nginx_secure

frontend fe_http_in
#bind *:80
bind 0.0.0.0:80
bind :::80
default_backend be_nginx_insecure

gRPC server running on port 50051 only.

backend be_grpc
mode tcp
server srv01 localhost:50051

server srv02 *:50051

backend be_nginx_secure
mode tcp
option ssl-hello-chk
server srv01 localhost:4443
server srv02 ::1:4443

backend be_nginx_insecure
mode tcp
server srv01 localhost:20080
server srv02 ::1:20080

================================================================
Create certificate is as below:

Generating CA Certificate

if [ -f “ca.crt” ]
then
echo -e "\n CA Certificate already exist \n"
else
#openssl ecparam -list_curves
openssl ecparam -genkey -name prime256v1 -out ca.key
openssl req -x509 -new -sha256 -nodes -key ca.key -days $validity -out ca.crt -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$caname/emailAddress=$email"
echo -e "\n============================ CA Key ===================================="
openssl ec -in ca.key -text
echo -e "\n================================================================"
fi

Generating Local Certificate

#openssl ecparam -list_curves
openssl ecparam -genkey -name prime256v1 -out local.key
openssl req -new -key local.key -nodes -out local.csr -passin pass:$password -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
echo -e "\n============================ local Key ===================================="
openssl ec -in local.key -text
echo -e “\n================================================================”

Signing

V3 version

openssl x509 -req -days $validity -sha256 -in local.csr -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -out local.crt

local cert not containing the CA chain

cat local.crt >> localcertchain.pem
openssl pkcs12 -export -password pass:$password -inkey local.key -in localcertchain.pem -out $localcertfile


#8

You are not using haproxy SSL termination on port 443. You are transparently passing it to your nginx backend.

You are using SSL termination only on port 8443, which you are not accessing in your tests though.


#10

Please don’t hijack other threads. If you have a question, open a new thread. Thanks.