Hi guys, I was running haproxy 1.8.1 and testing out http2, for this I require the alpn h2,http/1.1 in my bind – however when using multiple certificates together with alpn in 1.8.2 – this seems to break.
My bind looks like this: bind *:443 ssl crt /etc/haproxy/certs/default.pem crt /etc/haproxy/certs alpn h2,http/1.1 So I supply a default certificate (wildcard for a specific domain), second I supply a folder that haproxy scans and picks up all certificates within that directory – this configuration works perfectly in 1.8.1 In 1.8.2, I’ll get a certificate error whenever I have alpn h2,http/1.1 added, curl gives following error: * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/etc/openssl/cert.pem CApath: /usr/local/etc/openssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: OU=Domain Control Validated; CN=*.domain.com * start date: Jan 3 11:17:55 2017 GMT * expire date: Jan 4 11:17:55 2018 GMT * subjectAltName: host "dashboard.domain.com" matched cert's "*.domain.com" * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fe99d815400) > GET / HTTP/2 > Host: dashboard.domain.com > User-Agent: curl/7.54.1 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): curl: (16) Error in the HTTP2 framing layer Removing alpn (and http2 support) “fixes” the issue. Best Regards, Lucas Rolff
