1,5-dev12 TLS1.2

Mon, 24 Sep 2012 20:35:52 -0700 

Hello,

Excellent news on SSL coming to HAProxy, thanks for all the hard work!
I wonder if somebody could please help?

Firstly, my HAProxy -vv gives me the following;

HA-Proxy version 1.5-dev12 2012/09/10
Copyright 2000-2012 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with OpenSSL version : OpenSSL 1.0.1c 10 May 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

Available polling systems :
     sepoll : pref=400,  test result OK
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 4 (4 usable), will use sepoll.

My config is straightforward, a frontend with a bind as follows:

bind LBIP:443 ssl crt /etc/haproxy/mycert.pem ciphers 
!LOW:MEDIUM:HIGH:!ADH:CAMELLIA:!AECDH:@STRENGTH prefer-server-ciphers

When using Opera 12.02 (with TLS1.2 protocol enabled) to connect to this 
instance, the browser only negotiates TLS1.0. If I use exactly the same browser 
to connect to an instance of stunnel compiled using the same openssl library, 
TLS1.2 works just fine. I have used Wireshark to examine the out/in - the 
browser is definitely sending a clienthello with TLS1.2 specified as its 
capability, but the server always returns TLS1.0.
Further, if I try and specify just TLS1.2 ciphers in the above e.g. bind 
LBIP:443 ssl crt /etc/haproxy/robway.pem ciphers 
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:@STRENGTH - and then try to restart 
HAProxy, I get 

 268/043458 (7711) : Proxy 'frontend': unable to set SSL cipher list to 
'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:@STRENGTH' for bind 'LBIP:443' at .
 268/043458 (7711) : Fatal errors found in configuration.

Is there something preventing TLS1.2 from working in HAProxy or have I messed 
up somewhere?
BTW when I do openssl ciphers over the version I think is compiled into 
HAProxy, I do see the above TLS1.2 ciphers in the list.

Regards,


Andy

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,569111,569111#msg-569111

Reply via email to