|
Hi there, I'm running haproxy 1.5.12 and I have set 'ssl-default-bind-options no-sslv3 no-tlsv10' (without the quotes of course) under the global section as I want all my front-ends not to support SSLv3 or TLS1.0. However I do have a client that still requires SSLv3 support (for their own reasons). I have tried using force-sslv3 on the server line in the backend that matches their site, however this does not seem to be working as all. config snippet looks like this global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 user haproxy group haproxy daemon stats socket /var/run/haproxy # SSL Options tune.ssl.default-dh-param 4096 ssl-server-verify none # Used when backend is to some server that only has SSL ssl-default-bind-options no-sslv3 no-tlsv10 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-server-options no-sslv3 no-tlsv10 ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS frontend http-in bind *:443 ssl crt /etc/haproxy/certs/ha_certifitcate.pem use_backend client_2 if { ssl_fc_sni client_2.mycompany.net } backend client_2 option httpclose option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } redirect scheme https if !{ ssl_fc } server client_2 10.82.1.93:8880 cookie client_2 check force-sslv3 Please note, that I host/support a number of websites for various clients using a wildcard certificate that matches *.mycompany.net e.g. client1.mycompany.net, cleint2.mycompant.net etc when testing this using; openssl s_client -connect client_2.mycompany.net:443 -ssl3 I see the following in the haproxy logs; Jul 4 00:25:34 localhost.localdomain haproxy[1297]: xxx.xxx.xxx.xxx:55260 [04/Jul/2015:00:25:34.675] http-in/2: SSL handshake failure This is the behaviour I expect to see with SSLv3 being disabled. Testing with; openssl s_client -connect client_2.mycompany.net:443 -tls1_2 works as expected. Any thoughts on what I am doing incorrectly here Regards, - Travis |
- Issues with force-sslv3 Travis Fitch
- RE: Issues with force-sslv3 Lukas Tribus
- Re: Issues with force-sslv3 Travis Fitch
- RE: Issues with force-sslv3 Lukas Tribus
- Re: Issues with force-sslv3 Travis Fitch
