Hi,
I have a problem with HAProxy 1.5.18 on a Centos 7.2.1511. I installed the
HAProxy from the epel repository. So just the normal packages.
The problem is a rarely appearing ssl handshake error. HAProxy is terminating
ssl with the config below. You can see that we are load balancing exchange. On
the syslog server I can see from about 43k request 152 handshake failures. I
captured one good handshake with wireshark and one bad. The problem is they
look the same. The error is a TLS error: Bad Record MAC (20)
Did somebody had the same error? The problem only occurs with a new connection
and is not only an Exchange problem. I can see approximate 6 errors on our
HTTPS websites with the same error.
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
ssl-default-bind-ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
tune.ssl.default-dh-param 2048
defaults
mode http
log global
maxconn 3000
option dontlognull
option httplog
no option httpclose
no option http-server-close
no option forceclose
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 8h
timeout server 8h
timeout http-keep-alive 10s
timeout check 10s
#---------------------------------------------------------------------
# HTTPS OWA - loadbalancing between the new exchange server
#---------------------------------------------------------------------
listen lb-owa
mode http
bind 10.202.1.67:443 ssl crt /etc/haproxy/ssl/exchange2013_access.pem
no-sslv3
acl is_owa hdr(host) -i owa.domain.de
acl is_start path /
acl allowed_url path_beg -i /oab /owa /ews /_ews_ /ecp /autodiscover
/Microsoft-Server-ActiveSync /exchange /exchweb /rpc /public
http-request deny if is_owa !is_start !allowed_url
redirect location /owa if is_owa is_start
# set limit to 5000 parallel connections in this backend and frontend
maxconn 5000
fullconn 5000
balance roundrobin
option httpchk GET /owa/healthcheck.htm HTTP/1.1\r\nHost:\
thats.not.the.host
server ex01 ex01.domain.local:443 check ssl verify none inter 10000
server ex02 ex02.domain.local:443 check ssl verify none inter 10000
server ex03 ex03.domain.local:443 check ssl verify none inter 10000
backup
The Haproxy version:
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Thanks for your help.
Best Regards from Hamburg
Janek
