Hi.
Am 09.12.2019 um 12:06 schrieb NublaII Lists:
I have a bunch of pools of windows IIS servers behind haproxy, and from time to
time (I can't reproduce it on demand) they can't stablish a secure connection
between pools.
What's in the haproxy log at this time?
For example, I have servers 1 through 4 with APP and servers 5 through 9 with
API.
APP needs to stablish an encrypted https connections with API and on rare
occasions they can't manage to get a connection stablished.
I'm doing https termination on haproxy and the backends are setup with https.
The IIS servers have https configured properly (with a "good" certificate).
I am using haproxy v1.5.19 (Ubuntu 14.04) and IIS 8.5 on Windows 2012R2.
Checking with openssl I get this when I ask for a connection:
from haproxy:*Cipher : ECDHE-RSA-AES128-SHA*
from iis: *Cipher : ECDHE-RSA-AES256-SHA*
*
*
Can this be a problem? Should I try to have everything match and use the same
preferred encryption?
The actual app error is:
*
*
*The request was aborted: Could not create SSL/TLS secure channel. at
System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult,
TransportContext& context) at
System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
*
*
*
The error I get on the IIS side is per the Event Viewer: *A fatal alert was
received from the remote endpoint. The TLS protocol defined fatal alert code is 20.*
*
*
According to this page (event ID 36887):
*https://blogs.msdn.microsoft.com/kaushal/2012/10/05/ssltls-alert-protocol-the-alert-codes/
*it has something to do with "/bad_record_mac. Received a record with an
incorrect MAC. This message is always fatal./"
Could this message hide dome overload state?
What's your settings for the following parameters?
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxconn
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxconnrate
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxsessrate
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxsslconn
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#maxsslrate
Timeout*
It's called Circuit Breaker pattern.
https://martinfowler.com/bliki/CircuitBreaker.html
In general can you share your minimal config?
@haproxy.com: It would be nice to have a blog post which talks about the
excellent options for Circuit Breaker in haproxy like the timeouts, queues and
the other options.
My settings on haproxy related to encryption
(https://ssl-config.mozilla.org/#server=haproxy&server-version=1.5.19&config=old&openssl-version=1.0.1f&hsts=false&ocsp=false):
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
**
