RE: debugging ssl passthrough+haproxy

Tue, 25 Nov 2014 14:54:59 -0800 

As previously mentioned, we're using the following packages:

* Haproxy 1.4.15-1
* Openssl 1.0.1-4

So are you saying that I should update my configuration directives? This is the 
current example config:
listen proxyREDACTED-REDACTED-REDACTED 216.121.28.78:443
        # REDACTED
        # REDACTED
        # REDACTED
        # Primary VIP
        balance roundrobin
        source 216.121.28.78
        mode tcp
        timeout check 5000
        option ssl-hello-chk
        server REDACTED-REDACTED-REDACTED 216.121.17.252:443 check weight 100
inter 10000
        server REDACTED-REDACTED-REDACTED 216.121.17.232:443 check weight 100
inter 10000

Should I be updating the 'server' lines to use 'check ssl weight 100 inter 
10000' ? leaving or removing 'option ssl-hello-chk'? or am I going to have to 
snag the source from Debian and change some compile time flags and build a new 
deb package?

- Brian Menges

-----Original Message-----
From: Willy Tarreau [mailto:[email protected]]
Sent: Friday, November 21, 2014 9:27 AM
To: Lukas Tribus
Cc: Nenad Merdanovic; Cyril Bonté; Brian Menges; [email protected]
Subject: Re: debugging ssl passthrough+haproxy

On Fri, Nov 21, 2014 at 09:52:21AM +0100, Lukas Tribus wrote:
> >>> We need to check how haproxy 1.5 ssl-hello-chk behaves, if it's
> >>> still SSLv3 only, it would probably be a good time to upgrade this
> >>> to TLS (at least v1.0).
> >>>
> >>> Enable SSLv3 on your server or disabled ssl-hello-chk to
> >>> workaround the issue.
> >>>
> >>
> >> It is, though I would rather add an additional keyword, so like
> >> 'ssl-hello-chk tls' would activate TLS1.0
> >
> > Agreed, that way we can backport it to v1.5.
>
> I was thinking, do we really need this? If one builds 1.5 with
> openssl, we can use a real TLS transport layer, by specifying
> check-ssl on the server line (not check ssl) and that should fix the problem 
> already?
>
> TCP forwarding should still be possible even with check-ssl.

Indeed, I'd prefer not to add more confusion about the use of ssl-hello-check 
whose purpose is very limited, especially when native SSL support is available.

Best regards,
Willy


________________________________

The information contained in this message, and any attachments, may contain 
confidential and legally privileged material. It is solely for the use of the 
person or entity to which it is addressed. Any review, retransmission, 
dissemination, or action taken in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you receive this 
in error, please contact the sender and delete the material from any computer.

Reply via email to