Running in debug mode returns this at startup:
[WARNING] 053/110236 (21101) : Setting tune.ssl.default-dh-param to 1024 by
default, if your workload permits it you should set it to at least 2048.
Please set a value >= 1024 to make this warning disappear.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
(By the way, changing the 'tune.ssl.default-dh-param' to 2048 makes no
difference on whether the 'ldapsearch' queries
succeed).
Connecting using 'openssl s_client' returns this at the HAProxy debug
window:
00000000:ldapS_service_front.accept(0007)=000a from [
fluteydesktop.company.com:51384]
00000000:ldaps_service_back.srvcls[000a:000b]
00000000:ldaps_service_back.clicls[000a:000b]
00000000:ldaps_service_back.closed[000a:000b]
Connecting using 'openssl s_client' returns this at my desktop (somewhat
redacted for privacy and brevity):
$ openssl s_client -verify 10 -CAfile DigiCertHighAssuranceEVRootCA.cer
-state -connect ldap.company.com:636
verify depth is 10
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
High Assurance Server CA
verify return:1
depth=0 C = US, ST = SomeState, L = Locality, O = "My Company, Inc.", CN =
ldap.company.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=SomeState/L=Locality/O=My Company, Inc./CN=ldap.company.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance
Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High
Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV
Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
subject=/C=US/ST=SomeState/L=Locality/O=My Company, Inc./CN=ldap.company.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High
Assurance Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3307 bytes and written 432 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: CFE3082AC1951E38AD...C6C6B7DABBF9E7494E537AA96FAD0
Session-ID-ctx:
Master-Key: 7BF6FB1C4030CFCC2A9D...9BA6706561CB9C00C923F1C5A9418810767479
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 8a 58 63 21 dc 0d b1 d0-e4 15 78 c0 7b 52 7c 1d .Xc!......x.{R|.
0010 - 5c fd b0 cf af e1 aa a2-ad 4e 1d cc d0 24 da bd \........N...$..
0020 - a2 4e
0030 - ee 64 a8 68 76 40 e9 7e-76 d1 a9 25 b0 b6 d7 4b .d.hv@.~v..%...K
0040 - 39 20 11 81 52 61 b4 02-f6 60 31 80 ae a0 9c b2 9 ..Ra...`1.....
0050 - f7 ed 86
0060 - 35 53 d3 e9 11 eb 2f f5-fe 43 02 54 b6 4f b2 a9 5S..../..C.T.O..
0070 - 09 05 ce 68 bf eb b9 cd-73 a4 31 02 c5 b1 60 61 ...h....s.1...`a
0080 - 33 58 92
0090 - fd 12 1d d2 fb 6b 43 6b-29 fa 9a e8 46 f1 0a 95 .....kCk)...F...
Start Time: 1456254217
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify
$
TCPdump shows traffic going to the backend AD DCs corresponding to the
'openssl s_client' connection. Because this is ECDHE encryption, I was
unable to decrypt it using Wireshark.
At this time, I don't have access to the DCs with sufficient privs to see
logs.
On Tue, Feb 23, 2016 at 7:10 AM, Lukas Erlacher <[email protected]> wrote:
> Hi,
>
> On 02/22/2016 08:54 PM, Nunya DamnedBizniss wrote:
>
>> Is SSL Termination supported in TCP Mode?
>>
>
> It certainly should be.
>
>
>> https://www.reddit.com/r/sysadmin/comments/46c1im/issue_configuring_haproxy_frontend_to_active/
>>
>
> Can't see any obvious problems from skimming this.
>
> Please run haproxy in debug mode (run haproxy -d in the foreground) to see
> what haproxy does.
>
> You might also want to run openssl s_client to see if you can establish an
> SSL session as well as monitor the backend to see if any traffic arrives
> there.
>
> If the AD server is stingy with connection logs, maybe you could set up an
> openldap (slapd) instance as a test backend. Its log levels can be turned
> up to 11 very easily.
>
> Regards,
> Lukas Erlacher
>
> --
> Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik
> Raum 00.05.042
> Tel. 089-289-18258
> [email protected]
> Technische Universität München - Boltzmannstr. 3 - 85748 Garching
>
>
