Latest 2.8-dev not doing TLS 1.2

Fri, 19 May 2023 12:34:01 -0700

I have a config that I have had in place for a while now. It did TLS 1.2 and 1.3, and got an A+ rating at SSL Labs.
Today I was running the SSL test again and it only got an A rating instead of A+. Looking deeper at the results, I saw that it was no longer doing TLS 1.2 ... only TLS 1.3. 


Below are the global section, the defaults section, the bind lines from 
the frontend, and haproxy -vv output.  If there is something missing 
that would shine a light on the issue, please let me know.



I haven't changed any TLS-related config for a LONG time now.  Is there 
something I am doing wrong that has disabled TLS 1.2 in 2.8-dev?


Thanks,
Shawn

---
global
        log 127.0.0.1 len 65535 format rfc5424 local0
        log 127.0.0.1 len 65535 format rfc5424 local1 notice
        maxconn 4096
        daemon
        #debug
        #quiet
        spread-checks   2
        tune.h2.max-concurrent-streams  1000
        tune.bufsize    65536
        tune.http.logurilen     49152
        ssl-server-verify       none
        tune.ssl.default-dh-param       4096
        tune.ssl.cachesize      100000
        tune.ssl.lifetime       900

	ssl-default-bind-ciphers 
ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-ciphersuites 
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

        ssl-default-bind-options        no-sslv3 no-tlsv10 no-tlsv11
#       ssl-default-server-ciphers      RC4-MD5

	ssl-default-server-ciphers 
RC4-MD5:ECDHE-RSA-AES256-SHA384:AES256-SHA:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256

        stats socket /etc/haproxy/stats.socket

defaults
        log     global
        mode    http
        option  forwardfor except 127.0.0.1
        option  socket-stats
        balance leastconn
        option  httplog
        option  dontlognull
        option  redispatch
# commented because http3/quic doesn't like it
#       option  abortonclose
        retries 1
        compression algo gzip

	compression type text/css text/html text/javascript 
application/javascript text/plain text/xml application/json application/css

        timeout connect 5s
        timeout client  15s
        timeout server  120s
        timeout http-keep-alive 5s
        timeout check   9990
        retry-on all-retryable-errors
        http-errors myerrors
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 404 /etc/haproxy/errors/404.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/50x.http
        errorfile 503 /etc/haproxy/errors/50x.http
        errorfile 504 /etc/haproxy/errors/50x.http
---

	bind 0.0.0.0:443 name web443 ssl crt 
/etc/ssl/certs/local/REDACTED1.wildcards.combined.pem crt 
/etc/ssl/certs/local/REDACTED2.wildcards.combined.pem alpn h2,http/1.1 
npn h2,http/1.1 allow-0rtt curves secp521r1:secp384r1
	bind quic4@192.168.217.170:443 name quic443_vip ssl crt 
/etc/ssl/certs/local/REDACTED1.wildcards.combined.pem crt 
/etc/ssl/certs/local/REDACTED2.wildcards.combined.pem proto quic alpn h3 
npn h3 allow-0rtt curves secp521r1:secp384r1
	bind quic4@192.168.217.200:443 name quic443_smeagol ssl crt 
/etc/ssl/certs/local/REDACTED1.wildcards.combined.pem crt 
/etc/ssl/certs/local/REDACTED2.wildcards.combined.pem proto quic alpn h3 
npn h3 allow-0rtt curves secp521r1:secp384r1
	bind quic4@192.168.217.202:443 name quic443_gandalf ssl crt 
/etc/ssl/certs/local/REDACTED1.wildcards.combined.pem crt 
/etc/ssl/certs/local/REDACTED2.wildcards.combined.pem proto quic alpn h3 
npn h3 allow-0rtt curves secp521r1:secp384r1

---
HAProxy version 2.8-dev12-ffdf6a-1 2023/05/17 - https://haproxy.org/
Status: development branch - not safe for use in production.
Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open

Running on: Linux 6.1.0-1012-oem #12-Ubuntu SMP PREEMPT_DYNAMIC Tue May 
9 17:12:06 UTC 2023 x86_64

Build options :
  TARGET  = linux-glibc
  CPU     = native
  CC      = cc

  CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
-Wnull-dereference -fwrapv -Wno-address-of-packed-member 
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wno-cast-function-type 
-Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 
USE_PCRE2_JIT=1

  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS


Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY 
+CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE 
-LIBATOMIC +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH 
-MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL 
-OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL 
-PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC +RT +SHM_OPEN -SLZ +SSL 
-STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY 
-WURFL +ZLIB


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200


Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, 
default=48).

Built with OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023
Running on OpenSSL version : OpenSSL 3.1.0+quic 14 Mar 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11

Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND

Built with PCRE2 version : 10.39 2021-10-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.3.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace























					Reply via email to