5

I need to create haproxy with tls , although its working successfully with ssl certificate , i have done below configuration 

global
    log 127.0.0.1 local0 debug
    ssl-default-bind-options no-sslv3 2048

Its giving below error , please suggest where should i change

[ALERT] 330/075452 (70779) : parsing [/etc/haproxy/haproxy.cfg:8] : unknown keyword 'ssl-default-bind-options' in 'global' section
[ALERT] 330/075452 (70779) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[WARNING] 330/075452 (70779) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
[ALERT] 330/075452 (70779) : Fatal errors found in configuration.
Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Surender
  • 59
  • 1
  • 1
  • 3
  • what version of haproxy are you using? – Gerald Schneider Nov 27 '18 at 07:37
  • HA-Proxy version 1.5.4 2014/09/02 – Surender Nov 27 '18 at 07:38
  • i have also tried the same on haproxy version 1.6.9 – Surender Nov 27 '18 at 07:39
  • `ssl-default-bind-options` seems to [have been implemented in 1.5.7](http://www.haproxy.org/news.html), so no wonder it doesn't work with 1.5.4. It should work with 1.6.9 though. – Gerald Schneider Nov 27 '18 at 07:44
  • hm ... seems I misread that news entry. It doesn't say that the option was implemented with that version. Sorry about that. – Gerald Schneider Nov 27 '18 at 07:53
  • @GeraldSchneider thanks for your quick response , but its not working on 1.6.9 haproxy , it would be very helpful for me if you can share the configuration sample . – Surender Nov 27 '18 at 07:56
  • Well, what is definitly wrong is the `2048` after `ssl-default-bind-options`. Remove it ... if that solves the problem, the error message is very misleading. – Gerald Schneider Nov 27 '18 at 08:08
  • checked after remove 2048 , now getting below exception[ALERT] 330/093325 (90684) : parsing [/etc/haproxy/haproxy.cfg:8] : unknown keyword 'ssl-default-bind-options' in 'global' section [ALERT] 330/093325 (90684) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [WARNING] 330/093325 (90684) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear. [ALERT] 330/093325 (90684) : Fatal errors found in configuration. – Surender Nov 27 '18 at 09:00
  • Did my answer fix the issue? If so, please accept it. If not, please update your question or comment on my answer. – Tommiie Oct 20 '19 at 20:26

2 Answers2

10

Try:

global
  log 127.0.0.1 local0 debug
  ssl-default-bind-options no-sslv3
  tune.ssl.default-dh-param 2048
Tommiie
  • 5,627
  • 2
  • 12
  • 46
-1

Same question. But I do this.

[root@ops ~]# haproxy -vv | grep OpenSSL
Built without OpenSSL support (USE_OPENSSL not set)

So, need remake haproxy and reinstall it.

tar -zxvf haproxy***.tar.gz
yum install openssl openssl-devel pcre pcre-devel gcc -y
make USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
make install

then

haproxy check
xinxiaoyu
  • 1