Thanks you for responding and i wanted to share some more from my findings
when i set
ssl-default-bind-options no-sslv3 force-tlsv12
$ sudo vi /etc/haproxy/haproxy.cfg
:~$ sudo /etc/init.d/haproxy restart
* Restarting haproxy haproxy
[ALERT] 139/122930 (8602) : parsing [/etc/haproxy/haproxy.cfg:22] :
'ssl-default-bind-options' 'force-tlsv12': library does not support protocol
TLSv1.2
[ALERT] 139/122930 (8602) : Error(s) found in configuration file :
/etc/haproxy/haproxy.cfg
[ALERT] 139/122930 (8602) : Fatal errors found in configuration.
when i set
ssl-default-bind-options no-sslv3 force-tlsv11
:~$ sudo /etc/init.d/haproxy restart
* Restarting haproxy haproxy
[ALERT] 139/122945 (8649) : parsing [/etc/haproxy/haproxy.cfg:22] :
'ssl-default-bind-options' 'force-tlsv11': library does not support protocol
TLSv1.1
[ALERT] 139/122945 (8649) : Error(s) found in configuration file :
/etc/haproxy/haproxy.cfg
[ALERT] 139/122945 (8649) : Fatal errors found in configuration.
when i set
ssl-default-bind-options no-sslv3 force-tlsv10
:~$ sudo /etc/init.d/haproxy restart
* Restarting haproxy haproxy
[ OK ]
does that mean the it is an issue with the ubuntu installation of haproxy?is
there a way to resolve this?
From: Bryan Talbot <[email protected]>
To: Amol <[email protected]>
Cc: HAproxy Mailing Lists <[email protected]>
Sent: Monday, May 11, 2015 5:29 PM
Subject: Re: SSL handshake failure when setting up no-tlsv10
On Mon, May 11, 2015 at 1:46 PM, Amol <[email protected]> wrote:
Hi
I am using Haproxy (1.5.9) and trying to resolve a PCI compliance issue with
TLS v1.0, but when i set the following options in global section of the
haproxy.cfg i am getting an error in my haproxy.log and the webpage does not
showup.
ssl-default-bind-options no-sslv3 no-tlsv10
error in haproxy.log
May 11 16:37:39 load-lb haproxy[2680]: xx.xx.xx.xx:56787
[11/May/2015:16:37:39.626] www-https/1: SSL handshake failure
here is the snippet of the actual SSL settings
ssl-default-bind-ciphers
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:
EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
ssl-default-bind-options no-sslv3 no-tlsv10
tune.ssl.default-dh-param 4096
Please let me know if i am missing anything?
Works for me.
$ ./haproxy -vvHA-Proxy version 1.5.12-2 2015/05/11Copyright 2000-2015 Willy
Tarreau <[email protected]>
Build options : TARGET = generic CPU = generic CC = gcc CFLAGS =
-O2 -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=0
Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192,
maxpollevents = 200
Encrypted password support via crypt(3): noBuilt with zlib version :
1.2.5Compression algorithms supported : identity, deflate, gzipBuilt with
OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015Running on OpenSSL version :
OpenSSL 1.0.2a 19 Mar 2015OpenSSL library supports TLS extensions : yesOpenSSL
library supports SNI : yesOpenSSL library supports prefer-server-ciphers :
yesBuilt without PCRE support (using libc's regex instead)
Available polling systems : poll : pref=200, test result OK select :
pref=150, test result OKTotal: 2 (2 usable), will use poll.
$ cat haproxy.cfgglobal tune.ssl.default-dh-param 4096
ssl-default-bind-options no-sslv3 no-tlsv10 ssl-default-bind-ciphers
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
defaults timeout client 5s timeout server 5s mode http
listen foo bind :4433 ssl crt ./test.pem
$ ./haproxy -f ./haproxy.cfg -cConfiguration file is valid
$ openssl versionOpenSSL 1.0.2a 19 Mar 2015
$ echo | openssl s_client -connect 127.0.0.1:4433
...SSL-Session: Protocol : TLSv1.2 Cipher :
ECDHE-RSA-AES256-GCM-SHA384...
Maybe it's an issue with your client?
-Bryan
