RE: SSLv2Hello is disabled
-Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Wednesday, December 02, 2015 4:42 PM To: Cohen Galit; Igor Cicimov Cc: HAProxy Subject: RE: SSLv2Hello is disabled Hi Galit, > I want to emphasize that the following test succeeded: > > [root@proxy-au51 ~]# openssl s_client -connect 10.106.75.53:50443 -tls1 > > CONNECTED(0003) Ok. > Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006 > Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 I don't like this. build against an older non-fips 0.9.8b while running with 0.9.8e-fips. This could be very well cause issues here. Let me guess, RPMs have not been installed via the original repository, but via third party RPM website from Google, right? Thats not good. [Cohen Galit] I'm sorry, I can't answer that since I got this rpm as is.. I'll try to pack again the OpenSSL files (must work with rpm) from original repository and will let you know. Thanks. > Should I just add to haproxy.cfg the following? > force-tlsv10 Yes, you can try: global ssl-default-server-options no-sslv3 or: global ssl-default-server-options force-tlsv10 But I'm afraid it may be more complex than that ... Regards, Lukas "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
RE: SSLv2Hello is disabled
Hi, > I'll try to pack again the OpenSSL files (must work with rpm) from > original repository and will let you know. Thanks. Ok, but first try the other proposal (takes less time): >> Should I just add to haproxy.cfg the following? >> force-tlsv10 > > Yes, you can try: > > global > ssl-default-server-options no-sslv3 > > or: > global > ssl-default-server-options force-tlsv10 Regards, Lukas
RE: SSLv2Hello is disabled
Already did. Unfortunately same error in servers -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Thursday, December 03, 2015 3:36 PM To: Cohen Galit Cc: HAProxy Subject: RE: SSLv2Hello is disabled Hi, > I'll try to pack again the OpenSSL files (must work with rpm) from > original repository and will let you know. Thanks. Ok, but first try the other proposal (takes less time): >> Should I just add to haproxy.cfg the following? >> force-tlsv10 > > Yes, you can try: > > global > ssl-default-server-options no-sslv3 > > or: > global > ssl-default-server-options force-tlsv10 Regards, Lukas "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
RE: SSLv2Hello is disabled
Hi Galit, > I want to emphasize that the following test succeeded: > > [root@proxy-au51 ~]# openssl s_client -connect 10.106.75.53:50443 -tls1 > > CONNECTED(0003) Ok. > Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006 > Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 I don't like this. build against an older non-fips 0.9.8b while running with 0.9.8e-fips. This could be very well cause issues here. Let me guess, RPMs have not been installed via the original repository, but via third party RPM website from Google, right? Thats not good. > Should I just add to haproxy.cfg the following? > force-tlsv10 Yes, you can try: global ssl-default-server-options no-sslv3 or: global ssl-default-server-options force-tlsv10 But I'm afraid it may be more complex than that ... Regards, Lukas
RE: SSLv2Hello is disabled
>>>> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled >>> You need to disable SSLv3 in haproxy >> >> We are talking about the SSLv2 hello format. Its not about SSLv2 >> or SSLv3, its about the hello format. > Which can also be used by sslv3 clients hence my comment. True, but disabling or enabling SSLv3 doesn't impact the hello format behavior in OpenSSL afaik. > However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which > makes openssl not use the SSLv2 Hello, so I don't see why this would > happen. This is the openssl behavior since 0.9.8: https://github.com/openssl/openssl/commit/c6c2e3135dd6cff21bb4cd05a3891b5fdde04977 Maybe the OP uses an ancient openssl version (<= 0.9.7). Galit, can you provide the ouput of "haproxy -vv"? Also please clarify if you are authenticating the client and/or the server. Providing a tcpdump of this failed handshake would also be helpful. Regards, Lukas
RE: SSLv2Hello is disabled
Thanks, all, for your help! For your questions: I use openssl 0.9.8 Haproxy -vv: [root@proxy-au51 ~]# haproxy -vv HA-Proxy version 1.5.9 2014/11/25 Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> Build options : TARGET = linux26 CPU = i686 CC = gcc CFLAGS = -m32 -march=i686 -O2 -march=i686 -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006 Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : no (version might be too old, 0.9.8f min needed) OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 6.6 06-Feb-2006 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Currently only the server requires authentication in TLS only (!) and the haproxy configured as check verify none for all servers. -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Wednesday, December 02, 2015 11:25 AM To: Igor Cicimov Cc: Cohen Galit; HAProxy Subject: RE: SSLv2Hello is disabled >>>> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled >>> You need to disable SSLv3 in haproxy >> >> We are talking about the SSLv2 hello format. Its not about SSLv2 >> or SSLv3, its about the hello format. > Which can also be used by sslv3 clients hence my comment. True, but disabling or enabling SSLv3 doesn't impact the hello format behavior in OpenSSL afaik. > However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which > makes openssl not use the SSLv2 Hello, so I don't see why this would > happen. This is the openssl behavior since 0.9.8: http://cp.mcafee.com/d/avndxNJ5xwQsToupK-rKrjhpKCOyyCYrhhhsKYUM-qejqqbdSknxPP9IKyr8WvavmGj-0a3SUXOVIfrzLbCXKL4fvsvW_cEThuKPRXBQSrIsUMyyY-NR4kRHFGTohVkffGhBrwqrhdECXY-UUOYevovsdTdAVPmEBC4pj9JAenOGTMFg_aHv2B3YnlBfbemjZB5BZ11OPHGq90wNp2X-IL6zB4w-WwxZS3hOe76PSOFoKOe1heINfBPqrybxI5zihEw61waCkMLVVZjh1axEwgBji1_E6QT3uqJKGV6N Maybe the OP uses an ancient openssl version (<= 0.9.7). Galit, can you provide the ouput of "haproxy -vv"? Also please clarify if you are authenticating the client and/or the server. Providing a tcpdump of this failed handshake would also be helpful. Regards, Lukas "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
Re: SSLv2Hello is disabled
On 02/12/2015 12:41 AM, "Cohen Galit" <galit.co...@xura.com> wrote: > > Hello, > > > > When HAProxy 1.5.9 is trying to sample our servers with this configuration: tcp-check connect port 50443 ssl > > > > Our servers returns an error: > > > > 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)] [e8d05153-267f-4378-9a97-5245391ffe26] [] ERROR connection.SSLHandshakeStartPointListener (SSLHandshakeStartPointListener.java:onFailure :80) - SSL/TLS handshake failed with client identified by /10.106.75.51:35892 > > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > > > > > > Please advice, > > > > Thanks, You need to disable SSLv3 in haproxy or enable it on the imap side which probably has only TLS support setup. I can't see option of setting the ssl version in tcp-check connect so probably has to be done globaly in haproxy.
RE: SSLv2Hello is disabled
On 02/12/2015 10:19 AM, "Lukas Tribus" <luky...@hotmail.com> wrote: > > > On 02/12/2015 12:41 AM, "Cohen Galit" > > <galit.co...@xura.com<mailto:galit.co...@xura.com>> wrote: > > > > > > Hello, > > > > > > > > > > > > When HAProxy 1.5.9 is trying to sample our servers with this > > configuration: tcp-check connect port 50443 ssl > > > > > > > > > > > > Our servers returns an error: > > > > > > > > > > > > 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)] > > [e8d05153-267f-4378-9a97-5245391ffe26] [] ERROR > > connection.SSLHandshakeStartPointListener > > (SSLHandshakeStartPointListener.java:onFailure :80) - SSL/TLS handshake > > failed with client identified by > > /10.106.75.51:35892<http://10.106.75.51:35892> > > Do you authenticate the client and/or the server? > > > > > > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > > You need to disable SSLv3 in haproxy > > We are talking about the SSLv2 hello format. Its not about SSLv2 > or SSLv3, its about the hello format. Which can also be used by sslv3 clients hence my comment. > > However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which > makes openssl not use the SSLv2 Hello, so I don't see why this would > happen. > > I think the error message from Tomcat about the SSLv2Hello is irrelevant > and misleading and you actually have a simple authentication problem. > > > > Regards, > > Lukas > >
RE: SSLv2Hello is disabled
> On 02/12/2015 12:41 AM, "Cohen Galit" > <galit.co...@xura.com<mailto:galit.co...@xura.com>> wrote: > > > > Hello, > > > > > > > > When HAProxy 1.5.9 is trying to sample our servers with this > configuration: tcp-check connect port 50443 ssl > > > > > > > > Our servers returns an error: > > > > > > > > 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)] > [e8d05153-267f-4378-9a97-5245391ffe26] [] ERROR > connection.SSLHandshakeStartPointListener > (SSLHandshakeStartPointListener.java:onFailure :80) - SSL/TLS handshake > failed with client identified by > /10.106.75.51:35892<http://10.106.75.51:35892> Do you authenticate the client and/or the server? > > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > You need to disable SSLv3 in haproxy We are talking about the SSLv2 hello format. Its not about SSLv2 or SSLv3, its about the hello format. However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which makes openssl not use the SSLv2 Hello, so I don't see why this would happen. I think the error message from Tomcat about the SSLv2Hello is irrelevant and misleading and you actually have a simple authentication problem. Regards, Lukas
SSLv2Hello is disabled
Hello, When HAProxy 1.5.9 is trying to sample our servers with this configuration: tcp-check connect port 50443 ssl Our servers returns an error: 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)] [e8d05153-267f-4378-9a97-5245391ffe26] [] ERROR connection.SSLHandshakeStartPointListener (SSLHandshakeStartPointListener.java:onFailure :80) - SSL/TLS handshake failed with client identified by /10.106.75.51:35892 javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled Please advice, Thanks, Galit Cohen Comverse "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."