Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Config for old client (TLS 1.0 / 1.1) won't work, for (at least) HAProxy 2.4. #206

Open
lvergergsk opened this issue Jun 15, 2023 · 6 comments
Assignees
Labels
compatibility Warnings, deprecations or incompatibilities to tackle P2 Priority: 2 S2 Severity: 2

Comments

@lvergergsk
Copy link

https://ssl-config.mozilla.org/#server=haproxy&version=2.4&config=old&openssl=1.1.1k&guideline=5.7

Comparing intermediate config with old config, you removed no-tlsv10 no-tlsv11, but this actually does not allow TLS 1.0 and TLS 1.1. You will need to add ssl-min-ver TLSv1.0 for this to work.

You can try it use curl --tlsv1.0 --tls-max 1.0 ...

@lvergergsk lvergergsk changed the title ssl-config.mozilla.org config for old client does not work. Config for old client (TLS 1.0 / 1.1) won't work, for (at least) HAProxy 2.4. Jun 15, 2023
@gene1wood
Copy link
Collaborator

@lvergergsk When you use the config that you link to in HAProxy, does HAProxy throw an error (can you share what the error is if it does)?

Can you tell me more about the curl line you start? Are you saying that HAProxy accepts the configuration but something wrong can be seen when you run a curl command?

@lvergergsk
Copy link
Author

lvergergsk commented Jun 20, 2023

@gene1wood
There was no error log in haproxy and the error produced by the curl command is below:

curl --tlsv1.0 --tls-max 1.0 https://xxx.xxx.com/
curl: (35) OpenSSL/1.1.1t: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

To clearfy, the point I intend to make is following:
Comparing the intermediate and old config, I think your old config is trying to allow TLS 1.0 and TLS 1.1 for those old client.
On the other hand, the value of ssl-min-ver is default to TLSv1.2 as decribed in HAProxy doc.
Hence we will fail to use TLS 1.0 and TLS 1.1 to connect the server with given old version of HAProxy config.

I added ssl-min-ver TLSv1.0 to my server and this fixed our old clients and my test curl command.

@lvergergsk
Copy link
Author

Actually ssl-min-ver and ssl-max-ver is preferred over no-tlsv... option from HAProxy 2.x.

@janbrasna
Copy link
Collaborator

janbrasna commented Dec 22, 2023

It was buggy before 2.2 haproxy/haproxy@2e8d52f see haproxy/haproxy#595 — so the question is… if that gets changed to ssl-min/max-ver, should that be behind haproxy version conditional, or such bug in the server should not be polluting the config definition? (Thing is… if the configuration doesn't get picked up, is it safe to provide it as a recommendation?)

EDIT: Oh it's a v2.0+ feature only IIRC anyways, so it has to be defined behind a version check:/ similar to 342242c — so I'd make the split at v2.2 to render no-* flags vs. newer ssl-min* to also get rid of the warning #152

How much work should go into fixing old configs for newer daemon versions (that might change defaults and need explicit legacy flags added)?

@janbrasna
Copy link
Collaborator

@lvergergsk What you're suggesting to force-enable TLSv1.1-v1.2 is to change the configs (for 2.0+ or 2.2+ see above) along the lines:

    # intermediate configuration
-    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    ssl-default-bind-options prefer-client-ciphers no-tls-tickets ssl-min-ver TLSv1.2
-    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+    ssl-default-server-options no-tls-tickets ssl-min-ver TLSv1.2

(↑ this one has no impact, but needs v2+)

    # old configuration
-    ssl-default-bind-options no-sslv3 no-tls-tickets
+    ssl-default-bind-options no-tls-tickets ssl-min-ver TLSv1.0
-    ssl-default-server-options no-sslv3 no-tls-tickets
+    ssl-default-server-options no-tls-tickets ssl-min-ver TLSv1.0

to force lower TLS version than current default to cater to old clients?

@janbrasna janbrasna self-assigned this Oct 4, 2024
@janbrasna janbrasna added compatibility Warnings, deprecations or incompatibilities to tackle S2 Severity: 2 P2 Priority: 2 labels Oct 4, 2024
@gstrauss
Copy link
Collaborator

HandleBar is somewhat deficient as a template parser as HandleBar does not cleanly support compound conditional logic without duplication of contents.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compatibility Warnings, deprecations or incompatibilities to tackle P2 Priority: 2 S2 Severity: 2
Projects
None yet
Development

No branches or pull requests

4 participants