@Olivier Doucet - Thanks for responding! Follows are the answers to your questions.
*$ openssl version*OpenSSL 1.0.1k-fips 8 Jan 2015 *$ haproxy -vvv* HA-Proxy version 1.6.2 2015/11/03 Copyright 2000-2015 Willy Tarreau <[email protected]> Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_ZLIB=yes USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.1k-fips 8 Jan 2015 Running on OpenSSL version : OpenSSL 1.0.1k-fips 8 Jan 2015 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.21 2011-12-12 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. *My HAProxy config (scrubbed for security):* ----------------------------------------------------------------------------------------------------- global log 127.0.0.1 local0 info maxconn 10000 uid 99 gid 99 daemon #debug #quiet ca-base certs crt-base certs tune.ssl.default-dh-param 2048 tune.bufsize 17500 defaults log global mode http #option httplog log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ <%U<\ >%B> option dontlognull option http-server-close retries 3 maxconn 10000 timeout connect 5000 timeout client 300000 timeout server 300000 compression algo gzip compression type text/html text/css text/javascript application/x-javascript application/javascript application/json # Error page definitions: Currently, HAProxy is capable of generating codes 200, 400, 403, 408, 500, 502, 503, and 504. errorfile 400 /etc/haproxy/errors/custom_404.html errorfile 403 /etc/haproxy/errors/custom_404.html errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/maintenance.html errorfile 503 /etc/haproxy/errors/maintenance.html errorfile 504 /etc/haproxy/errors/maintenance.html listen stats bind :9443 stats uri /stats stats hide-version stats refresh 5s stats show-legends stats auth admin:password frontend public_http bind :80 # Redirect all HTTP traffic to HTTPS redirect scheme https if !{ ssl_fc } frontend public_https bind :443 ssl crt /etc/haproxy/certs/cert.pem # Forward client IP, Host, and Protocol to backends, using X-Forwarded- headers option forwardfor http-request set-header X-Forwarded-Proto https http-request add-header X-Forwarded-Host %[req.hdr(host)] # Prevent ClickJack attacks (malicious iFrames) rspadd X-Frame-Options:\ SAMEORIGIN .... ----------------------------------------------------------------------------------------------------- On Tue, Mar 8, 2016 at 12:35 PM, Olivier Doucet <[email protected]> wrote: > Hello Phil, > > We have to restart the HAProxy service for it to begin responding again. >> The crash seems to be related to cipher suite testing; HAProxy seems to >> crash during the part of that SSLlabs.com test called "testing deprecated >> cipher suites", and we found the solution is to specify a particular list >> of ciphers using the option "ssl-default-bind-ciphers". >> > > >> >> We are using HAProxy 1.6.2. We are able to reproduce the issue on 1.6.3 >> also. >> > > I'm heavily using both HAProxy and SSLLabs check, and never experienced > any crash. Which version of OpenSSL are you using ? Is it compiled static > in haproxy ? Sending the output of both "haproxy -vvv" and "openssl > version" would help, with an example of your haproxy config file (you can > remove sensitive information. What would be really useful is the cipher > suite you are using). > > Olivier > > >
