DEVHIDE
Login Or Sign up

HAPRoxy Configuration is throwing SSL Handshake error in Production

892 Views Asked by At

Facing SSL handshake failure with the the below HAProxy configuration and Outage in our production environment.

Flow:

  • We are using a Load balancer to distribute the traffic between the servers
  • Server Proxy request has been handled by the HAProxy
  • HAProxy is taking care of proxying the request to the backend server

HAPROXY Configuration:

global
        log /dev/log    local0 debug
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon


###Default SSL material locations
    ca-base /etc/haproxy/ssl
    crt-base /etc/haproxy/ssl


        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 504 /etc/haproxy/errors/504.http
frontend haproxy.service
             bind *:80
             bind *:443  ssl crt /etc/haproxy/ssl/test.pem ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
             http-request redirect scheme https unless { ssl_fc }
             default_backend backend.services


backend backendservices
             balance roundrobin
             server  backend.service 127.0.0.1:5001

I found in Internet that SSL handshake may happen due to the below scenarios

  • Protocol Mismatch -Tested all the TLS version(TLS 1.0,TLS 1.1,TLS 1.2,TLS 1.3) still facing SSL handshake failure
  • Cipher Suite Mismatch
    • Tested with the existing working Cipher suite in the HAProxy configuration
    • Not sure with the cipher suite. which suite will work for the above configuration?
  • Incorrect Certificate
    • Checked with SSL checker passed it.

Outputs of the below related commands:

curl -v --tls-max 1.2 https://server.com/health
  • It says connected
  • SSL verification Successful
  • HTTP/1.1 200 ok message

Error Message:

ALPN, server did not agree to a protocol

  • How can we handle this error message?

  1. Solution for the SSL handshake failure

  2. Cipher suite suggestions

  3. What are the further areas we can test.

  4. Suggestions/solutions to handle this error

    ALPN, server did not agree to a protocol

tls1.2 haproxy sslhandshakeexception haproxy-ingress alpn
Original Q&A
0

There are 0 best solutions below

Related Questions in TLS1.2

Related Questions in HAPROXY

Related Questions in SSLHANDSHAKEEXCEPTION

Related Questions in HAPROXY-INGRESS

Related Questions in ALPN

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.