On Mon, Jul 01, 2019 at 10:55:41PM +0200, Lukas Tribus wrote: > Hello Willy, > > On Mon, 1 Jul 2019 at 22:34, Willy Tarreau <[email protected]> wrote: > > > > On Mon, Jul 01, 2019 at 10:32:29PM +0200, Lukas Tribus wrote: > > > Commit 54832b97 ("BUILD: enable several LibreSSL hacks, including") > > > changed empty handshake detection in OpenSSL <= 1.0.2 and LibreSSL, > > > from accessing packet_length directly (not available in LibreSSL) to > > > calling SSL_state() instead. > > (...) > > > > Thanks a lot Lukas. Just out of curiosity, do you have any idea of a > > concrete user-visible issue this bug can cause ? It would help bisecting > > issues later. I don't know in what case an empty handshake may happen. > > The investigation was initiated by the following discourse thread: > https://discourse.haproxy.org/t/haproxy-2-0-ssl-handshake-failure/3954 > > It's about an Amazon ELB load-balancer and it's TCP-only health check, > which does not initiate a SSL handshake after connecting (and in this > case, sending the proxy protocol). Haproxy 1.9 recognized the missing > handshake and provides an appropriate log, 2.0 does not and logs a > handshake failure/error. There is still a disparity between what the > discourse report is saying (no logs at all for the ELB health checks > in 1.9), and what I can actually reproduce (empty handshake detection > causing a "Connection closed during SSL handshake" log message) - but > I'm gonna ignore that as I don't have any clue why this is. > > So the difference is what we log in this situation; we should not log > an error or a failure when the SSL handshake didn't even begin.
Ah OK, this makes sense, thanks for the explanation! Willy
