1.8.2 is the latest version, or do you mean latest version as in compiling master from git?
Current build config (my 1.8.1 build config is exactly the same, except version number is different): HA-Proxy version 1.8.2-08396fa 2017/12/23 Copyright 2000-2017 Willy Tarreau <[email protected]<mailto:[email protected]>> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Encrypted password support via crypt(3): yes Built with multi-threading support. Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with network namespace support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace Best Regards, Lucas Rolff From: Olivier Doucet <[email protected]> Date: Wednesday, 27 December 2017 at 19.14 To: Lucas Rolff <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: haproxy 1.8.2 ALPN h2 broken? Hi Lucas, There has been so many bugs fixed in HAProxy 1.8.2 you should really check this latest version first, and see if you still have this issue. Olivier 2017-12-27 17:49 GMT+01:00 Lucas Rolff <[email protected]<mailto:[email protected]>>: Hi guys, I was running haproxy 1.8.1 and testing out http2, for this I require the alpn h2,http/1.1 in my bind – however when using multiple certificates together with alpn in 1.8.2 – this seems to break. My bind looks like this: bind *:443 ssl crt /etc/haproxy/certs/default.pem crt /etc/haproxy/certs alpn h2,http/1.1 So I supply a default certificate (wildcard for a specific domain), second I supply a folder that haproxy scans and picks up all certificates within that directory – this configuration works perfectly in 1.8.1 In 1.8.2, I’ll get a certificate error whenever I have alpn h2,http/1.1 added, curl gives following error: * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/etc/openssl/cert.pem CApath: /usr/local/etc/openssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: OU=Domain Control Validated; CN=*.domain.com<http://domain.com> * start date: Jan 3 11:17:55 2017 GMT * expire date: Jan 4 11:17:55 2018 GMT * subjectAltName: host "dashboard.domain.com<http://dashboard.domain.com>" matched cert's "*.domain.com<http://domain.com>" * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fe99d815400) > GET / HTTP/2 > Host: dashboard.domain.com<http://dashboard.domain.com> > User-Agent: curl/7.54.1 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): curl: (16) Error in the HTTP2 framing layer Removing alpn (and http2 support) “fixes” the issue. Best Regards, Lucas Rolff
