Hi, Thanks for your answer. Yes, that's a lot of informations ! I will give a try to this link, I was trying to adapt a similar solution for another version :-) Regards
Le 09-Jun-2022 10:06:49 +0200, al-hapr...@none.at a crit: Hi spfma.tech. Uff, the mail is quite hard to read but looks like you are on ubuntu. Maybe this page can help to solve your issue. Enable TLSv1 in Ubuntu 20.04 https://ndk.sytes.net/wordpress/?p=1169 Regards Alex On Thu, 09 Jun 2022 09:58:10 +0200 spfma.t...@e.mail.fr wrote: > Hi, Thanks for your answer. I have tried the generated config from this > wonderful site, but no improvement. So here is the output of the haproxy > command : HA-Proxy version 2.3.20-1ppa1~focal 2022/04/29 - > https://haproxy.org/ Status: End of life - please upgrade to branch 2.4. > Known bugs: http://www.haproxy.org/bugs/bugs-2.3.20.html Running on: Linux > 5.4.0-113-generic #127-Ubuntu SMP Wed May 18 14:30:56 UTC 2022 x86_64 Build > options : TARGET = linux-glibc CPU = generic > CC = cc > CFLAGS = -O2 -g -O2 > -fdebug-prefix-map=/build/haproxy-VMWa1u/haproxy-2.3.20=. > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wdeclaration-after-statement -fwrapv > -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare > -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers > -Wno-cast-function-type -Wtype-limits -Wshift-negative-value > -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_PCRE2=1 > USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 DEBUG = > > Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT > +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE > -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H > +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ > +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD > -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS > > Default settings : > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with multi-threading support (MAX_THREADS=64, default=2). > Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 > Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 > Built with Lua version : Lua 5.3.3 > Built with network namespace support. > Built with the Prometheus exporter as a service > Built with zlib version : 1.2.11 > Running on zlib version : 1.2.11 > Compression algorithms supported : identity("identity"), deflate("deflate"), > raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support > using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : > 10.34 2019-11-21 PCRE2 library supports JIT : yes > Encrypted password support via crypt(3): yes > Built with gcc compiler version 9.4.0 > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Available multiplexer protocols : > (protocols marked as cannot be specified using 'proto' keyword) > h2 : mode=HTTP side=FE|BE mux=H2 > fcgi : mode=HTTP side=BE mux=FCGI > : mode=HTTP side=FE|BE mux=H1 > : mode=TCP side=FE|BE mux=PASS > > Available services : prometheus-exporter > Available filters : > [SPOE] spoe > [CACHE] cache > [FCGI] fcgi-app > [COMP] compression > [TRACE] trace --- OpenSSL 1.1.1f 31 Mar 2020 > built on: Tue May 3 17:49:36 2022 UTC > platform: debian-amd64 > options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr) > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack > -g -O2 -fdebug-prefix-map=/build/openssl-7zx7z2/openssl-1.1.1f=. > -fstack-protector-strong -Wformat -Werror=format-security > -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN > -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM > -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG > -Wdate-time -D_FORTIFY_SOURCE=2 OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR: > "/usr/lib/x86_64-linux-gnu/engines-1.1" Seeding source: os-specific > > --- # > # OpenSSL example configuration file. > # This is mostly being used for generation of certificate requests. > # > > # Note that you can include other files from the main configuration > # file using the .include directive. > #.include filename > > # This definition stops the following lines choking if HOME isn't > # defined. > HOME = . > > # Extra OBJECT IDENTIFIER info: > #oid_file = $ENV::HOME/.oid > oid_section = new_oids > > # To use this configuration file with the "-extfile" option of the > # "openssl x509" utility, name here the section containing the > # X.509v3 extensions to use: > # extensions = > # (Alternatively, use a configuration file that has only > # X.509v3 extensions in its main [= default] section.) > > [ new_oids ] > > # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. > # Add a simple OID like this: > # testoid1=1.2.3.4 > # Or use config file substitution like this: > # testoid2=${testoid1}.5.6 > > # Policies used by the TSA examples. > tsa_policy1 = 1.2.3.4.1 > tsa_policy2 = 1.2.3.4.5.6 > tsa_policy3 = 1.2.3.4.5.7 > > #################################################################### > [ ca ] > default_ca = CA_default # The default ca section > > #################################################################### > [ CA_default ] > > dir = ./demoCA # Where everything is kept > certs = $dir/certs # Where the issued certs are kept > crl_dir = $dir/crl # Where the issued crl are kept > database = $dir/index.txt # database index file. > #unique_subject = no # Set to 'no' to allow creation of > # several certs with same subject. > new_certs_dir = $dir/newcerts # default place for new certs. > > certificate = $dir/cacert.pem # The CA certificate > serial = $dir/serial # The current serial number > crlnumber = $dir/crlnumber # the current crl number > # must be commented out to leave a V1 CRL > crl = $dir/crl.pem # The current CRL > private_key = $dir/private/cakey.pem# The private key > > x509_extensions = usr_cert # The extensions to add to the cert > > # Comment out the following two lines for the "traditional" > # (and highly broken) format. > name_opt = ca_default # Subject Name options > cert_opt = ca_default # Certificate field options > > # Extension copying option: use with caution. > # copy_extensions = copy > > # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs > # so this is commented out by default to leave a V1 CRL. > # crlnumber must also be commented out to leave a V1 CRL. > # crl_extensions = crl_ext > > default_days = 365 # how long to certify for > default_crl_days= 30 # how long before next CRL > default_md = default # use public key default MD > preserve = no # keep passed DN ordering > > # A few difference way of specifying how similar the request should look > # For type CA, the listed attributes must be the same, and the optional > # and supplied fields are just that :-) > policy = policy_match > > # For the CA policy > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > # For the 'anything' policy > # At this point in time, you must list all acceptable 'object' > # types. > [ policy_anything ] > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > #################################################################### > [ req ] > default_bits = 2048 > default_keyfile = privkey.pem > distinguished_name = req_distinguished_name > attributes = req_attributes > x509_extensions = v3_ca # The extensions to add to the self signed cert > > # Passwords for private keys if not present they will be prompted for > # input_password = secret > # output_password = secret > > # This sets a mask for permitted string types. There are several options. > # default: PrintableString, T61String, BMPString. > # pkix : PrintableString, BMPString (PKIX recommendation before 2004) > # utf8only: only UTF8Strings (PKIX recommendation after 2004). > # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). > # MASK:XXXX a literal mask value. > # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. > string_mask = utf8only > > # req_extensions = v3_req # The extensions to add to a certificate request > > [ req_distinguished_name ] > countryName = Country Name (2 letter code) > countryName_default = AU > countryName_min = 2 > countryName_max = 2 > > stateOrProvinceName = State or Province Name (full name) > stateOrProvinceName_default = Some-State > > localityName = Locality Name (eg, city) > > 0.organizationName = Organization Name (eg, company) > 0.organizationName_default = Internet Widgits Pty Ltd > > # we can do this but it is not needed normally :-) > #1.organizationName = Second Organization Name (eg, company) > #1.organizationName_default = World Wide Web Pty Ltd > > organizationalUnitName = Organizational Unit Name (eg, section) > #organizationalUnitName_default = > > commonName = Common Name (e.g. server FQDN or YOUR name) > commonName_max = 64 > > emailAddress = Email Address > emailAddress_max = 64 > > # SET-ex3 = SET extension number 3 > > [ req_attributes ] > challengePassword = A challenge password > challengePassword_min = 4 > challengePassword_max = 20 > > unstructuredName = An optional company name > > [ usr_cert ] > > # These extensions are added when 'ca' signs a request. > > # This goes against PKIX guidelines but some CAs do it and some software > # requires this to avoid interpreting an end user certificate as a CA. > > basicConstraints=CA:FALSE > > # Here are some examples of the usage of nsCertType. If it is omitted > # the certificate can be used for anything *except* object signing. > > # This is OK for an SSL server. > # nsCertType = server > > # For an object signing certificate this would be used. > # nsCertType = objsign > > # For normal client use this is typical > # nsCertType = client, email > > # and for everything including object signing: > # nsCertType = client, email, objsign > > # This is typical in keyUsage for a client certificate. > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > # This will be displayed in Netscape's comment listbox. > nsComment = "OpenSSL Generated Certificate" > > # PKIX recommendations harmless if included in all certificates. > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer > > # This stuff is for subjectAltName and issuerAltname. > # Import the email address. > # subjectAltName=email:copy > # An alternative to produce certificates that aren't > # deprecated according to PKIX. > # subjectAltName=email:move > > # Copy subject details > # issuerAltName=issuer:copy > > #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem > #nsBaseUrl > #nsRevocationUrl > #nsRenewalUrl > #nsCaPolicyUrl > #nsSslServerName > > # This is required for TSA certificates. > # extendedKeyUsage = critical,timeStamping > > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA:FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > [ v3_ca ] > > # Extensions for a typical CA > > # PKIX recommendation. > > subjectKeyIdentifier=hash > > authorityKeyIdentifier=keyid:always,issuer > > basicConstraints = critical,CA:true > > # Key usage: this is typical for a CA certificate. However since it will > # prevent it being used as an test self-signed certificate it is best > # left out by default. > # keyUsage = cRLSign, keyCertSign > > # Some might want this also > # nsCertType = sslCA, emailCA > > # Include email address in subject alt name: another PKIX recommendation > # subjectAltName=email:copy > # Copy issuer details > # issuerAltName=issuer:copy > > # DER hex encoding of an extension: beware experts only! > # obj=DER:02:03 > # Where 'obj' is a standard or added object > # You can even override a supported extension: > # basicConstraints= critical, DER:30:03:01:01:FF > > [ crl_ext ] > > # CRL extensions. > # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. > > # issuerAltName=issuer:copy > authorityKeyIdentifier=keyid:always > > [ proxy_cert_ext ] > # These extensions should be added when creating a proxy certificate > > # This goes against PKIX guidelines but some CAs do it and some software > # requires this to avoid interpreting an end user certificate as a CA. > > basicConstraints=CA:FALSE > > # Here are some examples of the usage of nsCertType. If it is omitted > # the certificate can be used for anything *except* object signing. > > # This is OK for an SSL server. > # nsCertType = server > > # For an object signing certificate this would be used. > # nsCertType = objsign > > # For normal client use this is typical > # nsCertType = client, email > > # and for everything including object signing: > # nsCertType = client, email, objsign > > # This is typical in keyUsage for a client certificate. > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > # This will be displayed in Netscape's comment listbox. > nsComment = "OpenSSL Generated Certificate" > > # PKIX recommendations harmless if included in all certificates. > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer > > # This stuff is for subjectAltName and issuerAltname. > # Import the email address. > # subjectAltName=email:copy > # An alternative to produce certificates that aren't > # deprecated according to PKIX. > # subjectAltName=email:move > > # Copy subject details > # issuerAltName=issuer:copy > > #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem > #nsBaseUrl > #nsRevocationUrl > #nsRenewalUrl > #nsCaPolicyUrl > #nsSslServerName > > # This really needs to be in place for it to be a proxy certificate. > proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo > > #################################################################### HAproxy > host "openssl.conf" [ tsa ] > > default_tsa = tsa_config1 # the default TSA section > > [ tsa_config1 ] > > # These are used by the TSA reply generation only. > dir = ./demoCA # TSA root directory > serial = $dir/tsaserial # The current serial number (mandatory) > crypto_device = builtin # OpenSSL engine to use for signing > signer_cert = $dir/tsacert.pem # The TSA signing certificate > # (optional) > certs = $dir/cacert.pem # Certificate chain to include in reply > # (optional) > signer_key = $dir/private/tsakey.pem # The TSA private key (optional) > signer_digest = sha256 # Signing digest to use. (Optional) > default_policy = tsa_policy1 # Policy if request did not specify it > # (optional) > other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) > digests = sha1, sha256, sha384, sha512 # Acceptable message digests > (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) > clock_precision_digits = 0 # number of digits after dot. (optional) > ordering = yes # Is ordering defined for timestamps? > # (optional, default: no) > tsa_name = yes # Must the TSA name be included in the reply? > # (optional, default: no) > ess_cert_id_chain = no # Must the ESS cert id chain be included? > # (optional, default: no) > ess_cert_id_alg = sha1 # algorithm to compute certificate > # identifier (optional, default: sha1) Regards > Le 09-Jun-2022 09:13:21 +0200, lu...@ltri.eu a crit: > On Thu, 9 Jun 2022 at 08:42, wrote: > > > > Hi, > > > > I need to enable TLS V1.0 because of some legacy clients which have just > > been "discovered" and won't be updated. > > Configure "ssl-default-bind-ciphers" as per: > https://ssl-config.mozilla.org/#server=haproxy&version=2.3&config=old&openssl=1.1.1k&guideline=5.6 > > If you don't allow TLSv1.0 ciphers, TLSv1.0 can't be used. > > Also it's possible OpenSSL is so new it needs additional convincing. > Share the full output of haproxy -vv, including the OpenSSL release > please. > > > Can someone tell me what I am missing ? I have found a few messages > > about adding other cipher suites, .... but nothing lead to an improvement. > > You will have to share more data. Full output of haproxy -vv, full ssl > configuration. Can't really troubleshoot without configurations and > exact software releases (openssl). > > Lukas > > ------------------------------------------------------------------------------------------------- > FreeMail powered by mail.fr ------------------------------------------------------------------------------------------------- FreeMail powered by mail.fr
