Hi Emeric > On Mar 15, 2017, at 10:05, Emeric Brun <[email protected]> wrote: > > Hi John, > >>> >>> There is some inconsistencies between the engine and the used client: >>> >>> here the conf: >>> global >>> tune.ssl.default-dh-param 2048 >>> ssl-engine qat >>> ssl-async >>> >>> listen gg >>> mode http >>> bind 0.0.0.0:8443 ssl crt /root/2048.pem >>> redirect location / >>> >>> openssl s_client -connect performs well but curl failed: >>> emeric@ebr-laptop:~/inject$ curl -k https://10.0.0.109:8443/ >>> curl: (35) gnutls_handshake() failed: Bad record MAC >>> >>> >>> If I comment the ssl-engine line, no more issue. >>> >>> R, >>> Emeric >>> >>> the conf: >>> >>> >>> >>> > > I'm not sure that the issue is related to your patch, i may reach an issue > int QAT engine > > I've made some test using openssl s_server. > > Doing a curl request shows this error: > [root@centos bin]# ./openssl s_server -accept 9443 -engine qat -cert > /root/2048.pem > ERROR > 140267076605760:error:1408F119:SSL routines:ssl3_get_record:decryption failed > or bad record mac:ssl/record/ssl3_record.c:602: > shutting down SSL > CONNECTION CLOSED > > And using the haproxy as client also fails with this error: > 140267076605760:error:800910C8:lib(128):qat_rsa_priv_enc:rsa from to > null:qat_rsa.c:917: > 140267076605760:error:141EC044:SSL > routines:tls_construct_server_key_exchange:internal > error:ssl/statem/statem_srvr.c:2453: > shutting down SSL > CONNECTION CLOSED > > R, > Emeric
Maybe you run into the openssl 1.1 SNI issue. Does your test branch have the following patch: http://git.haproxy.org/?p=haproxy.git;a=commit;h=d3850603933c9319528375088a9b28b9b345246b If not, could you please give a try? Thanks, Grant
