Ssl – Disable sslv3 from haproxy health check ssl-hello-chk

haproxyssl

I have a haproxy configures like below with health check. My backend doesn't support sslv3. Is there a way to make ssl-hello-chk to use a protocol other that sslv3.

backend am
  balance roundrobin
  mode http
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  option ssl-hello-chk 
  option log-health-checks
  http-check expect rstatus 404
  server am-1 10.100.7.21:8243 check port 8243 inter 2000 rise 2 fall 5
  server am-2 10.100.7.21:8243 check port 8243 inter 2000 rise 2 fall 5

Best Answer

It is not supported to change the protocol other than sslv3 for ssl-hello-chk. Instead, you can use tcp-check on port 8243.

backend am
  balance roundrobin
  mode http
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  option tcp-check
  server am-1 10.100.7.21:8243 ssl verify none check port 8243
  server am-2 10.100.7.21:8245 ssl verify none check port 8245

Related Solutions

Ssl – HaProxy – Http and SSL pass through config

What are you using to cipher/decipher the SSL traffic before haproxy ? Stunnel, nginx, apache, something else ?

I suspect it might be related to the lack of "option httpclose" on your port 80, but it's not clear to me why it would cause an issue to only a few visitors.

Haproxy error 400 with option ssl-hello-chk

You can increase the apache loglevel to get more information about the HAPROXY hello request.

To see what happens you could use curl and switch on verbose messages:

curl -k -v https://real-https-apache.com

Curl should inform you about the different processess including client-hello and server-hello.

Then also check apache logs

This is how such a curl request looks like:

$ curl -k -v https://graph.facebook.com
* About to connect() to graph.facebook.com port 443 (#0)
*   Trying 66.220.146.100... connected
* Connected to graph.facebook.com (66.220.146.100) port 443 (#0)
* error setting certificate verify locations, continuing anyway:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*        subject: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
*        start date: 2010-01-13 00:00:00 GMT
*        expire date: 2013-04-11 23:59:59 GMT
*        common name: *.facebook.com (matched)
*        issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1
> Host: graph.facebook.com
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: private, no-cache, no-store, must-revalidate
< Expires: Sat, 01 Jan 2000 00:00:00 GMT
< Location: http://developers.facebook.com/docs/api
< Pragma: no-cache
< X-FB-Rev: 575092
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: sYq1u5Ffp1JE7p5IafErxiU6MNT6i1fXCEkn51nFxr8=
< Date: Mon, 18 Jun 2012 10:49:17 GMT
< Connection: keep-alive
< Content-Length: 0
< 
* Connection #0 to host graph.facebook.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Best Answer

Related Solutions

Ssl – HaProxy – Http and SSL pass through config

Haproxy error 400 with option ssl-hello-chk

Related Topic