Hi Lucas, There has been so many bugs fixed in HAProxy 1.8.2 you should really check this latest version first, and see if you still have this issue.
Olivier 2017-12-27 17:49 GMT+01:00 Lucas Rolff <[email protected]>: > Hi guys, > > > > I was running haproxy 1.8.1 and testing out http2, for this I require the > *alpn > h2,http/1.1 *in my bind – however when using multiple certificates > together with alpn in 1.8.2 – this seems to break. > > > > My bind looks like this: > > > > bind *:443 ssl crt /etc/haproxy/certs/default.pem crt /etc/haproxy/certs > alpn h2,http/1.1 > > > > So I supply a default certificate (wildcard for a specific domain), second > I supply a folder that haproxy scans and picks up all certificates within > that directory – this configuration works perfectly in 1.8.1 > > In 1.8.2, I’ll get a certificate error whenever I have alpn h2,http/1.1 > added, curl gives following error: > > > > * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@ > STRENGTH > > * successfully set certificate verify locations: > > * CAfile: /usr/local/etc/openssl/cert.pem > > CApath: /usr/local/etc/openssl/certs > > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > > * TLSv1.2 (IN), TLS handshake, Server hello (2): > > * TLSv1.2 (IN), TLS handshake, Certificate (11): > > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > > * TLSv1.2 (IN), TLS handshake, Server finished (14): > > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > > * TLSv1.2 (OUT), TLS change cipher, Client hello (1): > > * TLSv1.2 (OUT), TLS handshake, Finished (20): > > * TLSv1.2 (IN), TLS change cipher, Client hello (1): > > * TLSv1.2 (IN), TLS handshake, Finished (20): > > * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 > > * ALPN, server accepted to use h2 > > * Server certificate: > > * subject: OU=Domain Control Validated; CN=*.domain.com > > * start date: Jan 3 11:17:55 2017 GMT > > * expire date: Jan 4 11:17:55 2018 GMT > > * subjectAltName: host "dashboard.domain.com" matched cert's "*. > domain.com" > > * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2 > > * SSL certificate verify ok. > > * Using HTTP2, server supports multi-use > > * Connection state changed (HTTP/2 confirmed) > > * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: > len=0 > > * Using Stream ID: 1 (easy handle 0x7fe99d815400) > > > GET / HTTP/2 > > > Host: dashboard.domain.com > > > User-Agent: curl/7.54.1 > > > Accept: */* > > > > > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! > > * Closing connection 0 > > * TLSv1.2 (OUT), TLS alert, Client hello (1): > > *curl: (16) Error in the HTTP2 framing layer* > > > > Removing alpn (and http2 support) “fixes” the issue. > > > > Best Regards, > > Lucas Rolff >
