yes i figured since it is a ubuntu 10.04 machine it has old version of openssl
so i looked around for upgrading the openssl and found this link
https://sandilands.info/sgordon/upgrade-latest-version-openssl-on-ubuntu
so can i just upgrade to openssl 1.0.1 and add it to the correct path and just
restart the haproxy service?Do you think that would work
i really liked to install haproxy from the repository instead of compiling it
myself
From: Bryan Talbot <[email protected]>
To: Amol <[email protected]>; HAproxy Mailing Lists <[email protected]>
Sent: Wednesday, May 20, 2015 1:18 PM
Subject: Re: SSL handshake failure when setting up no-tlsv10
On Wed, May 20, 2015 at 10:10 AM, Amol <[email protected]> wrote:
here is the output from the commands you requested
Built with OpenSSL version : OpenSSL 0.9.8k 25 Mar 2009
Running on OpenSSL version : OpenSSL 0.9.8k 25 Mar 2009
:~$ openssl version
OpenSSL 0.9.8k 25 Mar 2009
The openssl version is just too old to support TLS 1.2 as you can see in the
supported cipher list below. Best bet would be to upgrade to a newer release of
your OS. Another option would be to compile a newer version of openssl and
compile your own haproxy and statically link against the newer openssl.
-Bryan
:~$ openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
:~$
From: Bryan Talbot <[email protected]>
To: Amol <[email protected]>; HAproxy Mailing Lists <[email protected]>
Sent: Wednesday, May 20, 2015 1:04 PM
Subject: Re: SSL handshake failure when setting up no-tlsv10
On Wed, May 20, 2015 at 9:39 AM, Amol <[email protected]> wrote:
Thanks you for responding and i wanted to share some more from my findings
when i set
ssl-default-bind-options no-sslv3 force-tlsv12
$ sudo vi /etc/haproxy/haproxy.cfg
:~$ sudo /etc/init.d/haproxy restart
* Restarting haproxy haproxy
[ALERT] 139/122930 (8602) : parsing [/etc/haproxy/haproxy.cfg:22] :
'ssl-default-bind-options' 'force-tlsv12': library does not support protocol
TLSv1.2
[ALERT] 139/122930 (8602) : Error(s) found in configuration file :
/etc/haproxy/haproxy.cfg
[ALERT] 139/122930 (8602) : Fatal errors found in configuration.
Yes, it sounds like your openssl lib must be pretty old or is oddly configured.
What does "haproxy -vv" and "openssl version" report? You can see a list of
supported ciphers and protocols using "openssl ciphers -v" as well.
-Bryan
