On Wed, Jun 24, 2020 at 01:32:29AM +0200, Marcel Menzel wrote:
> Hello list,
> 
> after unsuccessful search in the documentation I am asking here if it's
> possible to somehow make HAProxy log the reason why a SSL handshake
> failed (especially on a frontend).
> I am thinking of logging the SSL alert message, for example logging if
> the message came from the server or the client, the AlertLevel and the
> alert message:
> 
> "ft_https/1: SSL handshake failure: C>S fatal certificate_unknown"
> 
> We've had to deal with the expired AddTrust certificate and saw a lot of
> logged SSL handshake failures, but since HAProxy doesn't log the reason
> why a handshake failed we had to use tcpdump to get SSL alert number
> leading to an aborted SSL handshake.
> 
> 
> Kind regards,
> 
> Marcel Menzel


Unfortunately it's not possible yet, but we were asked this many time
and we will definitively improve that.

At the moment the moment what is logged is the error string which is
provided by OpenSSL.

A ticket was open a few days ago about it on github
https://github.com/haproxy/haproxy/issues/693

Regards,

-- 
William Lallemand

Reply via email to