0

Facing SSL handshake failure with the the below HAProxy configuration and Outage in our production environment.

Flow:

  • We are using a Load balancer to distribute the traffic between the servers
  • Server Proxy request has been handled by the HAProxy
  • HAProxy is taking care of proxying the request to the backend server

HAPROXY Configuration:

global
        log /dev/log    local0 debug
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon


###Default SSL material locations
    ca-base /etc/haproxy/ssl
    crt-base /etc/haproxy/ssl


        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 504 /etc/haproxy/errors/504.http
frontend haproxy.service
             bind *:80
             bind *:443  ssl crt /etc/haproxy/ssl/test.pem ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
             http-request redirect scheme https unless { ssl_fc }
             default_backend backend.services


backend backendservices
             balance roundrobin
             server  backend.service 127.0.0.1:5001

I found in Internet that SSL handshake may happen due to the below scenarios

  • Protocol Mismatch -Tested all the TLS version(TLS 1.0,TLS 1.1,TLS 1.2,TLS 1.3) still facing SSL handshake failure
  • Cipher Suite Mismatch
    • Tested with the existing working Cipher suite in the HAProxy configuration
    • Not sure with the cipher suite. which suite will work for the above configuration?
  • Incorrect Certificate
    • Checked with SSL checker passed it.

Outputs of the below related commands:

curl -v --tls-max 1.2 https://server.com/health
  • It says connected
  • SSL verification Successful
  • HTTP/1.1 200 ok message

Error Message:

ALPN, server did not agree to a protocol

  • How can we handle this error message?

  1. Solution for the SSL handshake failure

  2. Cipher suite suggestions

  3. What are the further areas we can test.

  4. Suggestions/solutions to handle this error

    ALPN, server did not agree to a protocol

James Z
  • 12,209
  • 10
  • 24
  • 44
Mohanraj Balan
  • 1
  • 1

0 Answers0