-1

Scenario:

I have an old hp dl360 g7 with iLO 3. Modern browsers can't access it because it uses ancient ciphers.

On my internal network, I'd like to have haproxy talk to it and eat the SSL errors and serve the content with SSL that modern browsers will support.

What I've tried:

frontend ilo3
    bind *:3333 ssl crt /etc/letsencrypt/live/mydomain.com/haproxy.pem alpn h2,http/1.1
    mode http
    use_backend ilo3

backend ilo3
    server node1 192.168.2.185 check ssl port 443 verify none

Result:

When I hit https://<haproxyip>:3333 I get:

Jun 25 22:28:46 haproxy haproxy[5750]: 192.168.2.229:54666 [25/Jun/2023:22:28:46.816] ilo3/1: SSL handshake failure

It's possible I'm not understanding the difficulties with what I'm trying to do. Appreciate any education.

Matt
  • 141
  • 7

1 Answers1

2

A handshake error cannot be simply ignored and continued with the connection. It is like asking that a car simply continues to drive after a fatal crash.

With a handshake error the current connection is in a state where there is no common ground between client and server to continue with the handshake, like they find no shared ciphers, no shared protocol version or the other site has simply closed the underlying TCP connection.

This is different from errors with certificate validation where the side which does the validation (i.e. client in case of server certificates) might decide to ignore these validation problems and continue with the handshake (but now risk man in the middle attacks).

Modern browsers can't access it because it uses ancient ciphers.

This is likely the same problem nginx is facing. "Supported ciphers" is like the languages each side speaks. Communication will fail if they find no common language to talk with each other.

Such a problem of not understanding each other can obviously not be simply ignored. Instead haproxy would need to be configured to support ciphers and protocols which are also supported by the upstream. Depending on how broken the upstream is in terms of protocol support this might be simply done by tuning the ciphers and ssl-min-ver settings. In some cases (really old broken stacks) it might the ancient protocol versions or ciphers needed might not be compiled into haproxy though, so recompiling of openssl and haproxy with support for such old stuff would be needed.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Thanks Steffen, That's kind of what I suspected. I'll try to configuring ssl-min-vers and ciphers tonight and see if I can get it to work. – Matt Jun 26 '23 at 15:25