VS: HAproxy reset TLS connection (Solved)
Hi Solved! I found out what was the problem. Exchange server 2019 do not use HTTP/2 only 1.1. And I specified alpn h2 this was the problem not a certificate error. But as the error do not says what is wrong it can be difficult to find out. The way I found out was by using this program as a trial. Fiddler Everywhere. It can show the network capture like Wireshark, but also decrypt it, so you can see what's going on. And here I could see it was http/1.1 So the traffic was reset because the server has send 200 ok, but in http/1.1 and not in http/2 and therefore it was not accepted. I am still trying to get TLS to work, but with so far no luck. Haproxy: fc00:::##61::11 Server: fc00:::##22::11 (Exchange server) When I run my mini HAProxy test script, HAproxy close the connection with Encryption Alert or as it shows in the log file: failed, reason: Layer7 invalid response, check duration: 10ms I have tried to look into the traffic with Wireshark, and it is here I can see that it is terminated with "Encryption Alert (21)" But why, I cannot see, and I cannot find a way to get more information out of Haproxy. Both wget and curl with the certificate work as it should and reply 200 ok. curl https://xmail.XX.dk/ecp/healthcheck.htm --cacert crt5.pem 200 OK Crt5.pem = public + intermediates + Root CA + Private This is the code there produce the connection: backend HA_DAG_XMail_ECP mode http id 503 log global balance roundrobin option log-health-checks option httpchk GET /ecp/healthcheck.htm http-check expect status 200 server XMailDB01 XMail01.xx.dk:443 check maxconn 100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2 server XMailDB02 XMail02.xx.dk:443 check maxconn 100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2 server XMailDB03 XMail03.xx.dk:443 check maxconn 100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2 Here is the TLS output from Wireshark: 27 15:54:19,399602 fc00:::##61::11 fc00:::##22::11 TLSv1.2 324 Client Hello 30 15:54:19,401908 fc00:::##22::11 fc00:::##61::11 TLSv1.2 694 Server Hello, Certificate, Server Key Exchange, Server Hello Done 34 15:54:19,405761 fc00:::##61::11 fc00:::##22::11 TLSv1.2 232 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 35 15:54:19,407486 fc00:::##22::11 fc00:::##61::11 TLSv1.2 125 Change Cipher Spec, Encrypted Handshake Message 36 15:54:19,407584 fc00:::##22::11 fc00:::##61::11 TLSv1.2 143 Application Data 39 15:54:19,407936 fc00:::##61::11 fc00:::##22::11 TLSv1.2 159 Application Data 43 15:54:21,410207 fc00:::##61::11 fc00:::##22::11 TLSv1.2 324 Client Hello 46 15:54:21,412491 fc00:::##22::11 fc00:::##61::11 TLSv1.2 694 Server Hello, Certificate, Server Key Exchange, Server Hello Done 50 15:54:21,416660 fc00:::##61::11 fc00:::##22::11 TLSv1.2 232 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 51 15:54:21,418423 fc00:::##22::11 fc00:::##61::11 TLSv1.2 125 Change Cipher Spec, Encrypted Handshake Message 52 15:54:21,418561 fc00:::##22::11 fc00:::##61::11
HAproxy reset TLS connection
Hi I am still trying to get TLS to work, but with so far no luck. Haproxy: fc00:::##61::11 Server: fc00:::##22::11 (Exchange server) When I run my mini HAProxy test script, HAproxy close the connection with Encryption Alert or as it shows in the log file: failed, reason: Layer7 invalid response, check duration: 10ms I have tried to look into the traffic with Wireshark, and it is here I can see that it is terminated with "Encryption Alert (21)" But why, I cannot see, and I cannot find a way to get more information out of Haproxy. Both wget and curl with the certificate work as it should and reply 200 ok. curl https://xmail.XX.dk/ecp/healthcheck.htm --cacert crt5.pem 200 OK Crt5.pem = public + intermediates + Root CA + Private This is the code there produce the connection: Backend HA_DAG_XMail_ECP mode http id 503 log global balance roundrobin option log-health-checks option httpchk GET /ecp/healthcheck.htm http-check expect status 200 Here is the TLS output from Wireshark: 27 15:54:19,399602 fc00:::##61::11 fc00:::##22::11 TLSv1.2 324 Client Hello 30 15:54:19,401908 fc00:::##22::11 fc00:::##61::11 TLSv1.2 694 Server Hello, Certificate, Server Key Exchange, Server Hello Done 34 15:54:19,405761 fc00:::##61::11 fc00:::##22::11 TLSv1.2 232 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 35 15:54:19,407486 fc00:::##22::11 fc00:::##61::11 TLSv1.2 125 Change Cipher Spec, Encrypted Handshake Message 36 15:54:19,407584 fc00:::##22::11 fc00:::##61::11 TLSv1.2 143 Application Data 39 15:54:19,407936 fc00:::##61::11 fc00:::##22::11 TLSv1.2 159 Application Data 43 15:54:21,410207 fc00:::##61::11 fc00:::##22::11 TLSv1.2 324 Client Hello 46 15:54:21,412491 fc00:::##22::11 fc00:::##61::11 TLSv1.2 694 Server Hello, Certificate, Server Key Exchange, Server Hello Done 50 15:54:21,416660 fc00:::##61::11 fc00:::##22::11 TLSv1.2 232 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 51 15:54:21,418423 fc00:::##22::11 fc00:::##61::11 TLSv1.2 125 Change Cipher Spec, Encrypted Handshake Message 52 15:54:21,418561 fc00:::##22::11 fc00:::##61::11 TLSv1.2 143 Application Data 55 15:54:21,418931 fc00:::##61::11 fc00:::##22::11 TLSv1.2 159 Application Data 56 15:54:21,419013 fc00:::##61::11 fc00:::##22::11 TLSv1.2 105 Encrypted Alert 61 15:54:23,421367 fc00:::##61::11 fc00:::##22::11 TLSv1.2 324 Client Hello 64 15:54:23,423533 fc00:::##22::11 fc00:::##61::11 TLSv1.2 694 Server Hello,
