Hi there,
I'm running haproxy 1.5.12 and I have set
'ssl-default-bind-options no-sslv3 no-tlsv10' (without the quotes
of course) under the global section as I want all my front-ends
not to support SSLv3 or TLS1.0.
However I do have a client that still requires SSLv3 support (for
their own reasons). I have tried using force-sslv3 on the server
line in the backend that matches their site, however this does not
seem to be working as all.
config snippet looks like this
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/run/haproxy
# SSL Options
tune.ssl.default-dh-param 4096
ssl-server-verify none # Used when backend is to some server
that only has SSL
ssl-default-bind-options no-sslv3 no-tlsv10
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tlsv10
ssl-default-server-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
frontend http-in
bind *:443 ssl crt /etc/haproxy/certs/ha_certifitcate.pem
use_backend client_2 if { ssl_fc_sni client_2.mycompany.net }
backend client_2
option httpclose
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
redirect scheme https if !{ ssl_fc }
server client_2 10.82.1.93:8880 cookie client_2 check
force-sslv3
Please note, that I host/support a number of websites for various
clients using a wildcard certificate that matches *.mycompany.net
e.g. client1.mycompany.net, cleint2.mycompant.net etc
when testing this using;
openssl s_client -connect client_2.mycompany.net:443 -ssl3
I see the following in the haproxy logs;
Jul 4 00:25:34 localhost.localdomain haproxy[1297]: xxx.xxx.xxx.xxx:55260
[04/Jul/2015:00:25:34.675] http-in/2: SSL handshake failure
This is the
behaviour I expect to see with SSLv3 being disabled.
Testing with; openssl s_client -connect
client_2.mycompany.net:443 -tls1_2 works as expected.
Any thoughts on what I am doing incorrectly here
Regards,
- Travis
I'm running haproxy 1.5.12 and I have set
'ssl-default-bind-options no-sslv3 no-tlsv10' (without the quotes
of course) under the global section as I want all my front-ends
not to support SSLv3 or TLS1.0.
However I do have a client that still requires SSLv3 support (for
their own reasons). I have tried using force-sslv3 on the server
line in the backend that matches their site, however this does not
seem to be working as all.
config snippet looks like this
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/run/haproxy
# SSL Options
tune.ssl.default-dh-param 4096
ssl-server-verify none # Used when backend is to some server
that only has SSL
ssl-default-bind-options no-sslv3 no-tlsv10
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tlsv10
ssl-default-server-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
frontend http-in
bind *:443 ssl crt /etc/haproxy/certs/ha_certifitcate.pem
use_backend client_2 if { ssl_fc_sni client_2.mycompany.net }
backend client_2
option httpclose
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
redirect scheme https if !{ ssl_fc }
server client_2 10.82.1.93:8880 cookie client_2 check
force-sslv3
Please note, that I host/support a number of websites for various
clients using a wildcard certificate that matches *.mycompany.net
e.g. client1.mycompany.net, cleint2.mycompant.net etc
when testing this using;
openssl s_client -connect client_2.mycompany.net:443 -ssl3
I see the following in the haproxy logs;
Jul 4 00:25:34 localhost.localdomain haproxy[1297]: xxx.xxx.xxx.xxx:55260
[04/Jul/2015:00:25:34.675] http-in/2: SSL handshake failure
This is the
behaviour I expect to see with SSLv3 being disabled.
Testing with; openssl s_client -connect
client_2.mycompany.net:443 -tls1_2 works as expected.
Any thoughts on what I am doing incorrectly here
Regards,
- Travis