Hi Grant, On 03/15/2017 06:20 PM, Grant Zhang wrote: > Hi Emeric >> On Mar 15, 2017, at 10:05, Emeric Brun <[email protected]> wrote: >> >> Hi John, >> >>>> >>>> There is some inconsistencies between the engine and the used client: >>>> >>>> here the conf: >>>> global >>>> tune.ssl.default-dh-param 2048 >>>> ssl-engine qat >>>> ssl-async >>>> >>>> listen gg >>>> mode http >>>> bind 0.0.0.0:8443 ssl crt /root/2048.pem >>>> redirect location / >>>> >>>> openssl s_client -connect performs well but curl failed: >>>> emeric@ebr-laptop:~/inject$ curl -k https://10.0.0.109:8443/ >>>> curl: (35) gnutls_handshake() failed: Bad record MAC >>>> >>>> >>>> If I comment the ssl-engine line, no more issue. >>>> >>>> R, >>>> Emeric >>>> >>>> the conf: >>>> >>>> >>>> >>>> >> >> I'm not sure that the issue is related to your patch, i may reach an issue >> int QAT engine >> >> I've made some test using openssl s_server. >> >> Doing a curl request shows this error: >> [root@centos bin]# ./openssl s_server -accept 9443 -engine qat -cert >> /root/2048.pem >> ERROR >> 140267076605760:error:1408F119:SSL routines:ssl3_get_record:decryption >> failed or bad record mac:ssl/record/ssl3_record.c:602: >> shutting down SSL >> CONNECTION CLOSED >> >> And using the haproxy as client also fails with this error: >> 140267076605760:error:800910C8:lib(128):qat_rsa_priv_enc:rsa from to >> null:qat_rsa.c:917: >> 140267076605760:error:141EC044:SSL >> routines:tls_construct_server_key_exchange:internal >> error:ssl/statem/statem_srvr.c:2453: >> shutting down SSL >> CONNECTION CLOSED >> >> R, >> Emeric > > Maybe you run into the openssl 1.1 SNI issue. Does your test branch have the > following patch: > http://git.haproxy.org/?p=haproxy.git;a=commit;h=d3850603933c9319528375088a9b28b9b345246b > > > If not, could you please give a try? > > Thanks, > > Grant > >
Indeed, I haven't this patch. But it seems that the issue is related to the qat engine: I'm unable to perform a complete handshake using curl or haproxy ssl client mode with openssl s_server -engine qat (no issue without the engine). I'm currently talking with intel guys and trying to solve it. I'll keep you informed R, Emeric
