2

We have an a haproxy instance and one of our application only supports TLSv1.0. when it tries to connect via this haproxy, it fails with handshake failure.

How can i enable TLSv1.0 support on this haproxy instance. Below is my haproxy.cfg

global
daemon

log         /var/log local0 debug
maxconn     4000

ssl-default-bind-options   no-sslv3
tune.ssl.default-dh-param  2048

stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
defaults
mode                    http
log                     global
option                  httplog
option                  dontlognull
option                  http-server-close
option                  forwardfor       except 127.0.0.0/8
option                  redispatch
retries                 3

timeout http-request    10m
timeout connect         10s
timeout client          10s
timeout server          10s

#---------------------------------------------------------------------
frontend api_passthrough

bind *:443 ssl crt /usr/local/etc/certs/ ciphers CECPQ1-RSA-AES256-GCM-SHA384:CECPQ1-RSA-CHACHA20-POLY1305-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:CECPQ1-ECDSA-AES256-GCM-SHA384:CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA256-SHA256
log /dev/log local0 debug
use_backend hapstats if { path_beg /stats }
default_backend api-gateway

#---------------------------------------------------------------------
backend api-gateway
http-request add-header x-amz-apigw-id xxxxxx

server vpce-1 10.xx.xx.xxx:443 check ssl verify none
server vpce-2 10.xx.xxx.xxx:443 check ssl verify none
server vpce-3 10.xx.xx.xx:443 check ssl verify none

backend hapstats
server haproxy 127.0.0.1:8888 check

listen stats
bind 127.0.0.1:8888
mode http
log global
maxconn 10
timeout client 100s
timeout server 100s
timeout connect 100s
timeout queue 100s

stats enable
stats admin if TRUE
stats hide-version
stats refresh 30s
stats show-node
stats uri /stats
stats auth admin:admin

I have gone through some post which suggested to add 

 ssl-default-bind-options TLSv1.0 ssl-min-ver

I have tried it and getting the error while reloading the config

unknown option 'TLSv1.0' on global statement 'ssl-default-bind-options'
Andromeda
  • 12,659
  • 20
  • 77
  • 103

1 Answers1

4

ssl-default-bind-options TLSv1.0 ssl-min-ver

The syntax is not correct.
Reading the documentation yo can see that the correct syntax would be ssl-default-bind-options ssl-min-ver TLSv1.0

Mo3m3n
  • 559
  • 2
  • 6