On Wed, Jun 24, 2020 at 01:32:29AM +0200, Marcel Menzel wrote: > Hello list, > > after unsuccessful search in the documentation I am asking here if it's > possible to somehow make HAProxy log the reason why a SSL handshake > failed (especially on a frontend). > I am thinking of logging the SSL alert message, for example logging if > the message came from the server or the client, the AlertLevel and the > alert message: > > "ft_https/1: SSL handshake failure: C>S fatal certificate_unknown" > > We've had to deal with the expired AddTrust certificate and saw a lot of > logged SSL handshake failures, but since HAProxy doesn't log the reason > why a handshake failed we had to use tcpdump to get SSL alert number > leading to an aborted SSL handshake. > > > Kind regards, > > Marcel Menzel
Unfortunately it's not possible yet, but we were asked this many time and we will definitively improve that. At the moment the moment what is logged is the error string which is provided by OpenSSL. A ticket was open a few days ago about it on github https://github.com/haproxy/haproxy/issues/693 Regards, -- William Lallemand