2017-12-27 19:16 GMT+01:00 Lucas Rolff <[email protected]>: > 1.8.2 is the latest version, or do you mean latest version as in compiling > master from git? >
Both are OK to test with. > > > Current build config (my 1.8.1 build config is exactly the same, except > version number is different): > > > > HA-Proxy version 1.8.2-08396fa 2017/12/23 > > Copyright 2000-2017 Willy Tarreau <[email protected]> > > > > Build options : > > TARGET = linux2628 > > CPU = generic > > CC = gcc > > CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement > -fwrapv -Wno-unused-label > > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1 > USE_PCRE_JIT=1 > > > > Default settings : > > maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > > > Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 > > Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 > > OpenSSL library supports TLS extensions : yes > > OpenSSL library supports SNI : yes > > OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 > > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > > Encrypted password support via crypt(3): yes > > Built with multi-threading support. > > Built with PCRE version : 8.32 2012-11-30 > > Running on PCRE version : 8.32 2012-11-30 > > PCRE library supports JIT : yes > > Built with zlib version : 1.2.7 > > Running on zlib version : 1.2.7 > > Compression algorithms supported : identity("identity"), > deflate("deflate"), raw-deflate("deflate"), gzip("gzip") > > Built with network namespace support. > > > > Available polling systems : > > epoll : pref=300, test result OK > > poll : pref=200, test result OK > > select : pref=150, test result OK > > Total: 3 (3 usable), will use epoll. > > > > Available filters : > > [SPOE] spoe > > [COMP] compression > > [TRACE] trace > And do you have the same issue with this version ? Olivier > > > > > > > Hi Lucas, > > > > There has been so many bugs fixed in HAProxy 1.8.2 you should really check > this latest version first, and see if you still have this issue. > > > > Olivier > > > > > > > > > > 2017-12-27 17:49 GMT+01:00 Lucas Rolff <[email protected]>: > > Hi guys, > > > > I was running haproxy 1.8.1 and testing out http2, for this I require the > *alpn > h2,http/1.1 *in my bind – however when using multiple certificates > together with alpn in 1.8.2 – this seems to break. > > > > My bind looks like this: > > > > bind *:443 ssl crt /etc/haproxy/certs/default.pem crt /etc/haproxy/certs > alpn h2,http/1.1 > > > > So I supply a default certificate (wildcard for a specific domain), second > I supply a folder that haproxy scans and picks up all certificates within > that directory – this configuration works perfectly in 1.8.1 > > In 1.8.2, I’ll get a certificate error whenever I have alpn h2,http/1.1 > added, curl gives following error: > > > > * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@ > STRENGTH > > * successfully set certificate verify locations: > > * CAfile: /usr/local/etc/openssl/cert.pem > > CApath: /usr/local/etc/openssl/certs > > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > > * TLSv1.2 (IN), TLS handshake, Server hello (2): > > * TLSv1.2 (IN), TLS handshake, Certificate (11): > > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > > * TLSv1.2 (IN), TLS handshake, Server finished (14): > > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > > * TLSv1.2 (OUT), TLS change cipher, Client hello (1): > > * TLSv1.2 (OUT), TLS handshake, Finished (20): > > * TLSv1.2 (IN), TLS change cipher, Client hello (1): > > * TLSv1.2 (IN), TLS handshake, Finished (20): > > * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 > > * ALPN, server accepted to use h2 > > * Server certificate: > > * subject: OU=Domain Control Validated; CN=*.domain.com > > * start date: Jan 3 11:17:55 2017 GMT > > * expire date: Jan 4 11:17:55 2018 GMT > > * subjectAltName: host "dashboard.domain.com" matched cert's "*. > domain.com" > > * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2 > > * SSL certificate verify ok. > > * Using HTTP2, server supports multi-use > > * Connection state changed (HTTP/2 confirmed) > > * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: > len=0 > > * Using Stream ID: 1 (easy handle 0x7fe99d815400) > > > GET / HTTP/2 > > > Host: dashboard.domain.com > > > User-Agent: curl/7.54.1 > > > Accept: */* > > > > > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! > > * Closing connection 0 > > * TLSv1.2 (OUT), TLS alert, Client hello (1): > > *curl: (16) Error in the HTTP2 framing layer* > > > > Removing alpn (and http2 support) “fixes” the issue. > > > > Best Regards, > > Lucas Rolff > > >
