I've enabled stats on haproxy 1.8.10
With
haproxy.conf
...
listen stats
...
bind 192.0.2.1:1234
...
the non-ssl stats web page is fully accessible/functional.
If I enable ssl for it, 1st concatenating my crt & key
cat haproxy.crt.pem haproxy.key.pem > haproxy.CONCAT.crt.pem
Checking the cert, with my CA cert
openssl verify \
-CAfile /usr/local/etc/haproxy/ssl/myCA.CHAIN.crt.pem \
/usr/local/etc/haproxy/ssl/haproxy.CONCAT.pem
haproxy.CONCAT.crt.pem: OK
Verifying cipher support
openssl ciphers -tls1_2
...:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:...
then configuring
haproxy.conf
global
...
+ ssl-default-bind-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
+ ssl-default-bind-options force-tlsv12
...
listen stats
...
- bind 192.0.2.1:1234
+ bind 192.0.2.1:1234 ssl crt
/usr/local/etc/haproxy/ssl/haproxy.CONCAT.crt.pem ca-file
/usr/local/etc/haproxy/ssl/myCA.CHAIN.crt.pem
...
secure access to the stats page fails,
Cannot communicate securely with peer: no common encryption
algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
I regularly use my generated certs/keys with CHACHA20 ciphers elsewhere, so
they're not _inherently_ the issue.
If not a simple config issue on my end, I suspect it's possible this is (?)
related to the 'mystery' Openssl lib linking issue I've having, @
https://www.mail-archive.com/haproxy@formilux.org/msg30448.html
