Re: Ubuntu 20.04 + TLSv1
Am Fr., 12. Juni 2020 um 16:02 Uhr schrieb Jerome Magnin : > On Fri, Jun 12, 2020 at 03:09:18PM +0200, bjun...@gmail.com wrote: > > Hi, > > > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > > > I'm trying to get TLSv1 working (we need this for some legacy clients), > so > > far without success. > > > > I've read different things, on the one hand Ubuntu has removed > > TLSv1/TLSv1.1 support completely, otherwise that it can be enabled: > > > http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog > > > > > > Is there anything that can be set in HAProxy? (apart from > > "ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2") > > > > Has anybody more information on this matter or has TLSv1 working in > Ubuntu > > 20.04 + HAProxy? > > > > Hi, > > appending @SECLEVEL=1 to the cipher string I can perform the handshakes > using TLSv1.0 and higher on ubuntu 20.04. You don't need to rebuild > openssl. I was not able to use s_client -tls1 or -tls1_2 on the 20.04 > though, had to try with a different client. It's probably something that > you can handle with openssl.cnf, just like the ciphers. > > frontend in > bind *:8443 ssl crt ssl.pem ssl-min-ver TLSv1.0 ciphers ALL:@SECLEVEL=1 > > > -- > Jérôme > Thanks Jérôme, that does the trick. Best regards / Mit freundlichen Grüßen Bjoern
Re: Ubuntu 20.04 + TLSv1
On Fri, Jun 12, 2020 at 03:09:18PM +0200, bjun...@gmail.com wrote: > Hi, > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > I'm trying to get TLSv1 working (we need this for some legacy clients), so > far without success. > > I've read different things, on the one hand Ubuntu has removed > TLSv1/TLSv1.1 support completely, otherwise that it can be enabled: > http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog > > > Is there anything that can be set in HAProxy? (apart from > "ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2") > > Has anybody more information on this matter or has TLSv1 working in Ubuntu > 20.04 + HAProxy? > Hi, appending @SECLEVEL=1 to the cipher string I can perform the handshakes using TLSv1.0 and higher on ubuntu 20.04. You don't need to rebuild openssl. I was not able to use s_client -tls1 or -tls1_2 on the 20.04 though, had to try with a different client. It's probably something that you can handle with openssl.cnf, just like the ciphers. frontend in bind *:8443 ssl crt ssl.pem ssl-min-ver TLSv1.0 ciphers ALL:@SECLEVEL=1 -- Jérôme
Re: Ubuntu 20.04 + TLSv1
Am Fr., 12. Juni 2020 um 15:38 Uhr schrieb bjun...@gmail.com < bjun...@gmail.com>: > Am Fr., 12. Juni 2020 um 15:24 Uhr schrieb Lukas Tribus : > >> Hello Bjoern, >> >> >> On Fri, 12 Jun 2020 at 15:09, bjun...@gmail.com >> wrote: >> > >> > Hi, >> > >> > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. >> > >> > I'm trying to get TLSv1 working (we need this for some legacy clients), >> so far without success. >> > >> > I've read different things, on the one hand Ubuntu has removed >> TLSv1/TLSv1.1 support completely, otherwise that it can be enabled: >> http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog >> > >> > Is there anything that can be set in HAProxy? (apart from >> "ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2") >> > >> > Has anybody more information on this matter or has TLSv1 working in >> Ubuntu 20.04 + HAProxy? >> >> >> Please try "force-tlsv10" *directly* on the bind line (not from >> ssl-default-bind-options). >> >> There are two issues: >> >> Bug 595 [1]: ssl-min-ver does not work from ssl-default-bind-options >> Bug 676 [2]: ssl-min-ver does not work properly depending on OS defaults >> >> If force-tlsv10 works directly on the bind line to enable TLSv1.0, >> then the next release 2.0.15 should work fine as it contains both >> fixes. >> >> >> >> Regards, >> >> Lukas >> >> >> [1] https://github.com/haproxy/haproxy/issues/595 >> [2] https://github.com/haproxy/haproxy/issues/676 > > > > Hi Lukas, > > "force-tlsv10" directly on the bind line doesn't work (i've also tried in > "ssl-default-bind-options", same result). > > Best regards / Mit freundlichen Grüßen > Bjoern > > I'm using the ubuntu packages from haproxy.debian.net. # haproxy -vvv | grep -i openssl OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Built with OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019 Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Best regards / Mit freundlichen Grüßen Bjoern
Re: Ubuntu 20.04 + TLSv1
Am Fr., 12. Juni 2020 um 15:24 Uhr schrieb Lukas Tribus : > Hello Bjoern, > > > On Fri, 12 Jun 2020 at 15:09, bjun...@gmail.com wrote: > > > > Hi, > > > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > > > I'm trying to get TLSv1 working (we need this for some legacy clients), > so far without success. > > > > I've read different things, on the one hand Ubuntu has removed > TLSv1/TLSv1.1 support completely, otherwise that it can be enabled: > http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog > > > > Is there anything that can be set in HAProxy? (apart from > "ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2") > > > > Has anybody more information on this matter or has TLSv1 working in > Ubuntu 20.04 + HAProxy? > > > Please try "force-tlsv10" *directly* on the bind line (not from > ssl-default-bind-options). > > There are two issues: > > Bug 595 [1]: ssl-min-ver does not work from ssl-default-bind-options > Bug 676 [2]: ssl-min-ver does not work properly depending on OS defaults > > If force-tlsv10 works directly on the bind line to enable TLSv1.0, > then the next release 2.0.15 should work fine as it contains both > fixes. > > > > Regards, > > Lukas > > > [1] https://github.com/haproxy/haproxy/issues/595 > [2] https://github.com/haproxy/haproxy/issues/676 Hi Lukas, "force-tlsv10" directly on the bind line doesn't work (i've also tried in "ssl-default-bind-options", same result). Best regards / Mit freundlichen Grüßen Bjoern
Re: Ubuntu 20.04 + TLSv1
Hello Bjoern, On Fri, 12 Jun 2020 at 15:09, bjun...@gmail.com wrote: > > Hi, > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > I'm trying to get TLSv1 working (we need this for some legacy clients), so > far without success. > > I've read different things, on the one hand Ubuntu has removed TLSv1/TLSv1.1 > support completely, otherwise that it can be enabled: > http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog > > Is there anything that can be set in HAProxy? (apart from > "ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2") > > Has anybody more information on this matter or has TLSv1 working in Ubuntu > 20.04 + HAProxy? Please try "force-tlsv10" *directly* on the bind line (not from ssl-default-bind-options). There are two issues: Bug 595 [1]: ssl-min-ver does not work from ssl-default-bind-options Bug 676 [2]: ssl-min-ver does not work properly depending on OS defaults If force-tlsv10 works directly on the bind line to enable TLSv1.0, then the next release 2.0.15 should work fine as it contains both fixes. Regards, Lukas [1] https://github.com/haproxy/haproxy/issues/595 [2] https://github.com/haproxy/haproxy/issues/676
Re: Ubuntu 20.04 + TLSv1
if haproxy was built against openssl with disabled TLS1.0, so haproxy does not support TLS1.0 you need to rebuild haproxy after enabling пт, 12 июн. 2020 г. в 18:12, bjun...@gmail.com : > Hi, > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > I'm trying to get TLSv1 working (we need this for some legacy clients), so > far without success. > > I've read different things, on the one hand Ubuntu has removed > TLSv1/TLSv1.1 support completely, otherwise that it can be enabled: > http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog > > > Is there anything that can be set in HAProxy? (apart from > "ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2") > > Has anybody more information on this matter or has TLSv1 working in Ubuntu > 20.04 + HAProxy? > > Best regards / Mit freundlichen Grüßen > Bjoern >
Ubuntu 20.04 + TLSv1
Hi, currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. I'm trying to get TLSv1 working (we need this for some legacy clients), so far without success. I've read different things, on the one hand Ubuntu has removed TLSv1/TLSv1.1 support completely, otherwise that it can be enabled: http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2/changelog Is there anything that can be set in HAProxy? (apart from "ssl-default-bind-options ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.2") Has anybody more information on this matter or has TLSv1 working in Ubuntu 20.04 + HAProxy? Best regards / Mit freundlichen Grüßen Bjoern