- you said that using multiple certs breaks, but did you get a working state in any way ?
Actually regarding the multiple certs breaking – I was wrong. So, if I use release 1.8.1 (downloaded from haproxy.org and compiling from source) then my bind works perfectly. If I use release 1.8.2 with same compile options, and I use the same bind, or a bind even with a single certificate ( bind *:443 ssl crt /etc/haproxy/certs/wildcard_domain.com.pem alpn h2,http/1.1 ) I still end up with the same error from curl: curl: (16) Error in the HTTP2 framing layer So it’s as long as I pass alpn h2,http/1.1 in my bind “flag” that it breaks. > if you run haproxy with -d (debug mode), do you see something like this : Yes, I see the ALPN=h2: 00000000:https_frontend.accept(0006)=0010 from [80.61.160.xxx:52922] ALPN=h2 00000000:https_frontend.clireq[0010:ffffffff]: GET / HTTP/1.1 00000000:https_frontend.clihdr[0010:ffffffff]: user-agent: curl/7.54.1 00000000:https_frontend.clihdr[0010:ffffffff]: accept: */* 00000000:https_frontend.clihdr[0010:ffffffff]: host: dashboard.domain.com 00000000:cdn-backend.srvcls[0010:adfd] 00000000:cdn-backend.clicls[0010:adfd] 00000000:cdn-backend.closed[0010:adfd] > are you sure you didn't limit your buffer size to less than 16kB ? Config between my compiled 1.8.1 and 1.8.2 didn’t change at all, and I’m also not touching buffers within the haproxy config, the only defaults I really set is connect, client and server timeouts – the rest pretty much stays the same: https://gist.github.com/lucasRolff/12b2036baa47400d6c3437a67d9f5fd1 - I try to avoid touching things the instance does next to no traffic so defaults *should* be fine. So unless buffers change between 1.8.1 an 1.8.2 then no changes has been done. The specific request will have a content-length of 55 kilobytes. > how did you manage to get curl to emit this amount of useful debugging > information ? I never got that even after reading all options, I'm jealous! Use -vvv option in curl – or even better, on http2 enabled sites, you can use nghttp -v http://url/ it will give you extensive information regarding your http2 traffic – since it will be aware of your streams, priorities etc etc. Best Regards, Lucas Rolff On 27/12/2017, 19.25, "Willy Tarreau" <w...@1wt.eu> wrote: Hi Lucas, On Wed, Dec 27, 2017 at 04:49:31PM +0000, Lucas Rolff wrote: > Hi guys, > > I was running haproxy 1.8.1 and testing out http2, for this I require the alpn h2,http/1.1 in my bind - however when using multiple certificates together with alpn in 1.8.2 - this seems to break. > > My bind looks like this: > > bind *:443 ssl crt /etc/haproxy/certs/default.pem crt /etc/haproxy/certs alpn h2,http/1.1 > > So I supply a default certificate (wildcard for a specific domain), second I supply a folder that haproxy scans and picks up all certificates within that directory - this configuration works perfectly in 1.8.1 > In 1.8.2, I'll get a certificate error whenever I have alpn h2,http/1.1 added, curl gives following error: > > * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > * successfully set certificate verify locations: > * CAfile: /usr/local/etc/openssl/cert.pem > CApath: /usr/local/etc/openssl/certs > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > * TLSv1.2 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > * TLSv1.2 (IN), TLS handshake, Server finished (14): > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > * TLSv1.2 (OUT), TLS change cipher, Client hello (1): > * TLSv1.2 (OUT), TLS handshake, Finished (20): > * TLSv1.2 (IN), TLS change cipher, Client hello (1): > * TLSv1.2 (IN), TLS handshake, Finished (20): > * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 > * ALPN, server accepted to use h2 > * Server certificate: > * subject: OU=Domain Control Validated; CN=*.domain.com > * start date: Jan 3 11:17:55 2017 GMT > * expire date: Jan 4 11:17:55 2018 GMT > * subjectAltName: host "dashboard.domain.com" matched cert's "*.domain.com" > * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2 > * SSL certificate verify ok. > * Using HTTP2, server supports multi-use > * Connection state changed (HTTP/2 confirmed) > * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 > * Using Stream ID: 1 (easy handle 0x7fe99d815400) > > GET / HTTP/2 > > Host: dashboard.domain.com > > User-Agent: curl/7.54.1 > > Accept: */* > > > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! > * Closing connection 0 > * TLSv1.2 (OUT), TLS alert, Client hello (1): > curl: (16) Error in the HTTP2 framing layer > > Removing alpn (and http2 support) "fixes" the issue. Wow that's scary. I have no idea what can cause this at the moment. These parts are so much isolated that I really don't understand. Just a few questions : - you said that using multiple certs breaks, but did you get a working state in any way ? - if you run haproxy with -d (debug mode), do you see something like this : 00000000:decrypt.accept(0007)=000b from [127.0.0.1:46158] ALPN=h2 00000000:decrypt.clireq[000b:ffffffff]: GET / HTTP/1.1 00000000:decrypt.clihdr[000b:ffffffff]: user-agent: curl/7.54.1 00000000:decrypt.clihdr[000b:ffffffff]: accept: */* 00000000:decrypt.clihdr[000b:ffffffff]: host: 127.0.0.1:4443 (note the "ALPN=h2" at the top) - are you sure you didn't limit your buffer size to less than 16kB ? I was supposed to add a parse error for this when parsing a config, and for a reason I don't remember, I think I didn't add it. - how did you manage to get curl to emit this amount of useful debugging information ? I never got that even after reading all options, I'm jealous! Thanks, Willy
