Hi Lucas,
On Wed, Dec 27, 2017 at 04:49:31PM +0000, Lucas Rolff wrote:
> Hi guys,
>
> I was running haproxy 1.8.1 and testing out http2, for this I require the
> alpn h2,http/1.1 in my bind - however when using multiple certificates
> together with alpn in 1.8.2 - this seems to break.
>
> My bind looks like this:
>
> bind *:443 ssl crt /etc/haproxy/certs/default.pem crt /etc/haproxy/certs alpn
> h2,http/1.1
>
> So I supply a default certificate (wildcard for a specific domain), second I
> supply a folder that haproxy scans and picks up all certificates within that
> directory - this configuration works perfectly in 1.8.1
> In 1.8.2, I'll get a certificate error whenever I have alpn h2,http/1.1
> added, curl gives following error:
>
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /usr/local/etc/openssl/cert.pem
> CApath: /usr/local/etc/openssl/certs
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
> * ALPN, server accepted to use h2
> * Server certificate:
> * subject: OU=Domain Control Validated; CN=*.domain.com
> * start date: Jan 3 11:17:55 2017 GMT
> * expire date: Jan 4 11:17:55 2018 GMT
> * subjectAltName: host "dashboard.domain.com" matched cert's "*.domain.com"
> * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
> * SSL certificate verify ok.
> * Using HTTP2, server supports multi-use
> * Connection state changed (HTTP/2 confirmed)
> * Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
> len=0
> * Using Stream ID: 1 (easy handle 0x7fe99d815400)
> > GET / HTTP/2
> > Host: dashboard.domain.com
> > User-Agent: curl/7.54.1
> > Accept: */*
> >
> * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
> * Closing connection 0
> * TLSv1.2 (OUT), TLS alert, Client hello (1):
> curl: (16) Error in the HTTP2 framing layer
>
> Removing alpn (and http2 support) "fixes" the issue.
Wow that's scary. I have no idea what can cause this at the moment. These
parts are so much isolated that I really don't understand. Just a few
questions :
- you said that using multiple certs breaks, but did you get a working
state in any way ?
- if you run haproxy with -d (debug mode), do you see something like
this :
00000000:decrypt.accept(0007)=000b from [127.0.0.1:46158] ALPN=h2
00000000:decrypt.clireq[000b:ffffffff]: GET / HTTP/1.1
00000000:decrypt.clihdr[000b:ffffffff]: user-agent: curl/7.54.1
00000000:decrypt.clihdr[000b:ffffffff]: accept: */*
00000000:decrypt.clihdr[000b:ffffffff]: host: 127.0.0.1:4443
(note the "ALPN=h2" at the top)
- are you sure you didn't limit your buffer size to less than 16kB ? I
was supposed to add a parse error for this when parsing a config, and
for a reason I don't remember, I think I didn't add it.
- how did you manage to get curl to emit this amount of useful debugging
information ? I never got that even after reading all options, I'm jealous!
Thanks,
Willy
