Hi everyone,
I built haproxy with static openssl, both from latest git versions. The
resulting binary works fine, but Elliptic Curve ciphers aren't available. I'm
looking for help to diagnose this issue.
----------------------------------------------------------------
$ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
$ openssl s_client -connect <target>:443 -cipher
ECDHE-RSA-AES256-GCM-SHA384
CONNECTED(00000003)
140250231854784:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:755:
----------------------------------------------------------------
The same connection test on www.google.com:443 succeeds with the same
ciphersuite.
Likewise, I can connect to haproxy using DHE-RSA-AES128-GCM-SHA256 and other
TLS1.2 ciphers. Only ECC ciphers fail.
OpenSSL and Haproxy where build using the following commands:
----------------------------------------------------------------
#!/usr/bin/env bash
export STATICLIBSSL="/tmp/staticlibssl"
#-- Build static openssl
cd ~/Code/openssl
git pull
rm -rf "$STATICLIBSSL"
mkdir "$STATICLIBSSL"
make clean
./config --prefix=$STATICLIBSSL no-shared enable-ec_nistp_64_gcc_128
make depend
make
make install_sw
#-- Build static haproxy
cd ~/Code/haproxy
git pull
make clean
make TARGET=linux2628 USE_STATIC_PCRE=1 USE_OPENSSL=1
ADDINC=-I$STATICLIBSSL/include ADDLIB="-L$STATICLIBSSL/lib -ldl"
----------------------------------------------------------------
And the resulting binary has:
----------------------------------------------------------------
# ./bin/haproxy -vv
HA-Proxy version 1.5-dev19-12 2013/07/06
Copyright 2000-2013 Willy Tarreau <w...@1wt.eu>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents =
200
Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.1.0-dev xx XXX xxxx
Running on OpenSSL version : OpenSSL 1.1.0-dev xx XXX xxxx
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
----------------------------------------------------------------
Thanks a lot for the help!
Julien
--
Julien Vehent
(307) 363-2101
http://jve.linuxwall.info
