DOC/MINOR: Typo in INSTALL doc

[Tom?s Zubiri]

Line 227/581 Col 53/75 char 9913/27467

Section 4.5 cryptography
"is known to build ant work with branches"

Release Branch 2.5.0

VS: HAproxy reset TLS connection (Solved)

[Henning Svane]

Hi

Solved!
I found out what was the problem.

Exchange server 2019 do not use HTTP/2 only 1.1. And I specified alpn h2 this 
was the problem not a certificate error.
But as the error do not says what is wrong it can be difficult to find out.
The way I found out was by using this program as a trial.
Fiddler Everywhere.
It can show the network capture like Wireshark, but also decrypt it, so you can 
see what's going on. And here I could see it was http/1.1

So the traffic was reset because the server has send 200 ok, but in http/1.1 
and not in http/2 and therefore it was not accepted.


I am still trying to get TLS to work, but with so far no luck.

Haproxy:  fc00:::##61::11
Server:  fc00:::##22::11 (Exchange server)

When I run my mini HAProxy test script, HAproxy close the connection with 
Encryption Alert or as it shows in the log file:
failed, reason: Layer7 invalid response, check duration: 10ms

I have tried to look into the traffic with Wireshark, and it is here I can see 
that it is terminated with "Encryption Alert (21)"
But why, I cannot see, and I cannot find a way to get more information out of 
Haproxy.
Both wget and curl with the certificate work as it should and reply 200 ok.
curl https://xmail.XX.dk/ecp/healthcheck.htm --cacert crt5.pem
200 OK
Crt5.pem = public + intermediates + Root CA + Private

This is the code there produce the connection:
 backend HA_DAG_XMail_ECP
   mode http
   id 503
   log global
   balance roundrobin
   option log-health-checks
  option httpchk GET /ecp/healthcheck.htm
   http-check expect status 200
   server XMailDB01 XMail01.xx.dk:443 check maxconn 
100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2
   server XMailDB02 XMail02.xx.dk:443 check maxconn 
100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2
   server XMailDB03 XMail03.xx.dk:443 check maxconn 
100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2

Here is the TLS output from Wireshark:
27  15:54:19,399602   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
30  15:54:19,401908   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
34  15:54:19,405761   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
35  15:54:19,407486   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
36  15:54:19,407584   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 143   
Application Data
39  15:54:19,407936   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 159   
Application Data
43  15:54:21,410207   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
46  15:54:21,412491   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
50  15:54:21,416660   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
51  15:54:21,418423   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
52  15:54:21,418561   
fc00:::##22::11   fc00:::##61::11   
 

HAproxy reset TLS connection

[Henning Svane]

Hi

I am still trying to get TLS to work, but with so far no luck.

Haproxy:  fc00:::##61::11
Server:  fc00:::##22::11 (Exchange server)

When I run my mini HAProxy test script, HAproxy close the connection with 
Encryption Alert or as it shows in the log file:
failed, reason: Layer7 invalid response, check duration: 10ms

I have tried to look into the traffic with Wireshark, and it is here I can see 
that it is terminated with "Encryption Alert (21)"
But why, I cannot see, and I cannot find a way to get more information out of 
Haproxy.
Both wget and curl with the certificate work as it should and reply 200 ok.
curl https://xmail.XX.dk/ecp/healthcheck.htm --cacert crt5.pem
200 OK
Crt5.pem = public + intermediates + Root CA + Private

This is the code there produce the connection:
Backend HA_DAG_XMail_ECP
mode http
   id 503
   log global
   balance roundrobin
   option log-health-checks
   option httpchk GET /ecp/healthcheck.htm
   http-check expect status 200

Here is the TLS output from Wireshark:
27  15:54:19,399602   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
30  15:54:19,401908   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
34  15:54:19,405761   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
35  15:54:19,407486   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
36  15:54:19,407584   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 143   
Application Data
39  15:54:19,407936   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 159   
Application Data
43  15:54:21,410207   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
46  15:54:21,412491   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
50  15:54:21,416660   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
51  15:54:21,418423   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
52  15:54:21,418561   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 143   
Application Data
55  15:54:21,418931   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 159   
Application Data
56  15:54:21,419013   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 105   Encrypted 
Alert
61  15:54:23,421367   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
64  15:54:23,423533   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, 

Re: Download Question

[Aleksandar Lazic]

Hi.

On Mon, 2 May 2022 14:44:45 +
Dave Swinton  wrote:

> Do you have a repository for the current releases in RPM? We are currently
> using 1.8 but would like to move to 2.5.x after some internal testing but
> don't see any direct links to an RPM from the download page.

You can build your own version based on this repo.

https://github.com/DBezemer/rpm-haproxy

Regards
Alex

> Thank you.
> 
> David Swinton
> RedIron Technologies
> Mobile: (925) 864-1783
> Email:  dave.swin...@redirontech.com
> 
> [519F0236]
> 

Download Question

[Dave Swinton]

Do you have a repository for the current releases in RPM? We are currently 
using 1.8 but would like to move to 2.5.x after some internal testing but don't 
see any direct links to an RPM from the download page.

Thank you.

David Swinton
RedIron Technologies
Mobile: (925) 864-1783
Email:  dave.swin...@redirontech.com

[519F0236]