Hello Willy, On Mon, 1 Jul 2019 at 22:34, Willy Tarreau <[email protected]> wrote: > > On Mon, Jul 01, 2019 at 10:32:29PM +0200, Lukas Tribus wrote: > > Commit 54832b97 ("BUILD: enable several LibreSSL hacks, including") > > changed empty handshake detection in OpenSSL <= 1.0.2 and LibreSSL, > > from accessing packet_length directly (not available in LibreSSL) to > > calling SSL_state() instead. > (...) > > Thanks a lot Lukas. Just out of curiosity, do you have any idea of a > concrete user-visible issue this bug can cause ? It would help bisecting > issues later. I don't know in what case an empty handshake may happen.
The investigation was initiated by the following discourse thread: https://discourse.haproxy.org/t/haproxy-2-0-ssl-handshake-failure/3954 It's about an Amazon ELB load-balancer and it's TCP-only health check, which does not initiate a SSL handshake after connecting (and in this case, sending the proxy protocol). Haproxy 1.9 recognized the missing handshake and provides an appropriate log, 2.0 does not and logs a handshake failure/error. There is still a disparity between what the discourse report is saying (no logs at all for the ELB health checks in 1.9), and what I can actually reproduce (empty handshake detection causing a "Connection closed during SSL handshake" log message) - but I'm gonna ignore that as I don't have any clue why this is. So the difference is what we log in this situation; we should not log an error or a failure when the SSL handshake didn't even begin. Lukas
