SSL Passthrough tcp mode failed during SSL Handshake

@mludy wrote:

Hello All,
I fight with this problem for some time now but unable to figure it out.
I tested HProxy SSL Passthrough with simple configuration using listen directive
Here is working sample:
listen my_listener
    bind *:443
    mode tcp
    option tcplog
    balance leastconn
    option ssl-hello-chk
    server app lb-test.xyz:443 check 
Now I would like to use SNI to have option to route ssl traffic to multiple backends. First step was to move this configuration to frontend and backend directives:
frontend https
    bind *:443
    mode tcp
    option tcplog
    default_backend app

backend app
  mode tcp
  option tcplog
  balance roundrobin
  option ssl-hello-chk
  server app_backend lb-test.xxx:443 check
Unfortunatelly this configuration is not correct. When I try to test it i got:
curl https://yyy.com -v
* Rebuilt URL to: https://yyyy.com/
*   Trying 18.207.74.42...
* TCP_NODELAY set
* Connected to yyy.com (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error
So it looks communication is not possible because server send hello packet with alert.

Communication to backend works when tried it directly without haproxy:
curl -vvvv https://xxxxx -v
* Rebuilt URL to: https://xxxxx/
*   Trying 55.*.*.*...
* TCP_NODELAY set
* Connected to xxxxxxx (yyyyy) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  ..........
* Server certificate:
*............
haproxy version: 1.6.3 2015/12/25

Any ideas appreciated,
Michal

Posts: 1

Participants: 1

Read full topic

SSL Passthrough tcp mode failed during SSL Handshake

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112