Why 'set ssl tls-key' is unknown command?


#1

Hi.
I have used ‘set ssl tls-key’ with the unix command in version 1.6.x.
However, in 1.7.x version, ‘set ssl tls-key’ does not execute with unknown command.
I have just changed the version, and I’m wondering why the command does not run in 1.7.x, which is the command specified in the guide.


[root@SI3012-146 ~]# haproxy -vv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
OPTIONS = USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity(“identity”)
Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
Running on PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[TRACE] trace
[COMP] compression


[root@SI3012-146 ~]# echo “show tls-keys *” | /usr/bin/socat stdio /var/run/haproxy.stat1

id secret

0 (/etc/haproxy/ssl/tls-ticket.key)

0.0 Wvd6NYlEbXZQc2y26RoipMaXDemegdx7lkE3cWqDHVfxGMPEEMrnhSYkZ5qEL72e
0.1 U2zwaYtNmjmhID7uDOVS+Uvu/2nQcAoyAndHfTNDqT2Yw3QWiajLkIf7dlrdB1Il
0.2 9dGgFVZnSGV2rKQRtAj8lgw4EPlBjF1rnknsOiDlbXUeu0b2HoEqWl5qPqmVWM7N


[root@SI3012-146 ~]# echo “set ssl tls-key /etc/haproxy/ssl/tls-ticket.key Md204uGmRboB2gtcHPEa/2GxYnvayIBNY7Vr/YRFX9OgfyzFabQp6PccYhlJ8vzs” | /usr/bin/socat stdio /var/run/haproxy.stat1

Unknown command. Please enter one of the following commands only :
help : this message
prompt : toggle interactive mode with prompt
quit : disconnect
show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified
set maxconn global : change the per-process maxconn setting
set rate-limit : change a rate limiting value
set timeout : change a timeout setting
show env [var] : dump environment variables known to the process
show stat resolvers [id]: dumps counters from all resolvers section and
associated name servers
add acl : add acl entry
clear acl : clear the content of this acl
del acl : delete acl entry
get acl : report the patterns matching a sample for an ACL
show acl [id] : report available acls or dump an acl’s contents
add map : add map entry
clear map : clear the content of this map
del map : delete map entry
get map : report the keys and values matching a sample for a map
set map : modify map entry
show map [id] : report available maps or dump a map’s contents
show pools : report information about the memory pools usage
show sess [id] : report the list of current sessions or dump this session
shutdown session : kill a specific session
shutdown sessions server : kill sessions on a server
clear counters : clear max statistics counters (add ‘all’ for all counters)
show info : report information about the running process
show stat : report counters for each proxy and server
show errors : report last request and response errors for each proxy
clear table : remove an entry from a table
set table [id] : update or create a table entry’s data
show table [id]: report table usage stats or dump this table’s contents
disable frontend : temporarily disable specific frontend
enable frontend : re-enable specific frontend
set maxconn frontend : change a frontend’s maxconn setting
show servers state [id]: dump volatile server information (for backend )
show backend : list backends in the current running config
shutdown frontend : stop a specific frontend
disable agent : disable agent checks (use ‘set server’ instead)
disable health : disable health checks (use ‘set server’ instead)
disable server : disable a server for maintenance (use ‘set server’ instead)
enable agent : enable agent checks (use ‘set server’ instead)
enable health : enable health checks (use ‘set server’ instead)
enable server : enable a disabled server (use ‘set server’ instead)
set maxconn server : change a server’s maxconn setting
set server : change a server’s state, weight or address
get weight : report a server’s current weight
set weight : change a server’s weight (deprecated)

=> ‘set ssl tls-key’ is not listed :frowning:

please help me


#2

What happens when you use 0 instead of the filename?

echo "set ssl tls-key 0 Md204uGmRboB2gtcHPEa/2GxYnvayIBNY7Vr/YRFX9OgfyzFabQp6PccYhlJ8vzs" | /usr/bin/socat stdio /var/run/haproxy.stat1

That may only be a helptext issue that’s always been there.


#3

@lukastribus
Thanks for the reply.
Instead of filename, I used 0, but the result is same.


[root@SI3012-146 ~]# echo “set ssl tls-key 0 Md204uGmRboB2gtcHPEa/2GxYnvayIBNY7Vr/YRFX9OgfyzFabQp6PccYhlJ8vzs” | /usr/bin/socat stdio /var/run/haproxy.stat1

Unknown command. Please enter one of the following commands only :
help : this message
prompt : toggle interactive mode with prompt
quit : disconnect
show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified
set maxconn global : change the per-process maxconn setting
set rate-limit : change a rate limiting value
set timeout : change a timeout setting
show env [var] : dump environment variables known to the process
show stat resolvers [id]: dumps counters from all resolvers section and
associated name servers
add acl : add acl entry
clear acl : clear the content of this acl
del acl : delete acl entry
get acl : report the patterns matching a sample for an ACL
show acl [id] : report available acls or dump an acl’s contents
add map : add map entry
clear map : clear the content of this map
del map : delete map entry
get map : report the keys and values matching a sample for a map
set map : modify map entry
show map [id] : report available maps or dump a map’s contents
show pools : report information about the memory pools usage
show sess [id] : report the list of current sessions or dump this session
shutdown session : kill a specific session
shutdown sessions server : kill sessions on a server
clear counters : clear max statistics counters (add ‘all’ for all counters)
show info : report information about the running process
show stat : report counters for each proxy and server
show errors : report last request and response errors for each proxy
clear table : remove an entry from a table
set table [id] : update or create a table entry’s data
show table [id]: report table usage stats or dump this table’s contents
disable frontend : temporarily disable specific frontend
enable frontend : re-enable specific frontend
set maxconn frontend : change a frontend’s maxconn setting
show servers state [id]: dump volatile server information (for backend )
show backend : list backends in the current running config
shutdown frontend : stop a specific frontend
disable agent : disable agent checks (use ‘set server’ instead)
disable health : disable health checks (use ‘set server’ instead)
disable server : disable a server for maintenance (use ‘set server’ instead)
enable agent : enable agent checks (use ‘set server’ instead)
enable health : enable health checks (use ‘set server’ instead)
enable server : enable a disabled server (use ‘set server’ instead)
set maxconn server : change a server’s maxconn setting
set server : change a server’s state, weight or address
get weight : report a server’s current weight
set weight : change a server’s weight (deprecated)


#4

Oh My God :scream:
I changed the command to “set ssl tls-keys” and the ticket key was successfully updated!
Is it a bug that the command is supposed to have changed?:thinking:


echo ‘set ssl tls-keys /etc/haproxy/ssl/tls-ticket.key Md204uGmRboB2gtcHPEa/2GxYnvayIBNY7Vr/YRFX9OgfyzFabQp6PccYhlJ8vzs’ | /usr/bin/socat stdio /var/run/haproxy.stat1
TLS ticket key updated!
[root@SI3012-146 ~]#
[root@SI3012-146 ~]#
[root@SI3012-146 ~]#
[root@SI3012-146 ~]#
[root@SI3012-146 ~]# echo “show tls-keys *” | /usr/bin/socat stdio /var/run/haproxy.stat1

id secret

0 (/etc/haproxy/ssl/tls-ticket.key)

0.0 U2zwaYtNmjmhID7uDOVS+Uvu/2nQcAoyAndHfTNDqT2Yw3QWiajLkIf7dlrdB1Il
0.1 9dGgFVZnSGV2rKQRtAj8lgw4EPlBjF1rnknsOiDlbXUeu0b2HoEqWl5qPqmVWM7N
0.2 Md204uGmRboB2gtcHPEa/2GxYnvayIBNY7Vr/YRFX9OgfyzFabQp6PccYhlJ8vzs


#5

Yeah, this shouldn’t have happened.
I’m gonna dig into this and see how we can fix this, but for now, you are gonna have to use “set ssl tls-keys”.


#6

This was fixed in the development tree.

How this is gonna work is that in next stable release 1.7.10 (and all subsequent 1.7 releases) haproxy is gonna support both the correct keyword (“set ssl tls-key”) and the one that currently works (“set ssl tls-keys”).

In haproxy 1.8, only the correct keyword will work.


#7

There is no big problem because the action I want is running and it will be modified correctly in the future.
Thanks :slight_smile: