We are trying to remediate a security finding on one of our HAProxy endpoints. we currently have this line and everything works ok
ssl-default-bind-options no-sslv3 no-tlsv10
we then add the no-tlsv11 option to the bind setting and some of our backend servers timeout or wont connect.
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ERROR:
Server bk_exchange_2016_smtp/Server3 is DOWN, reason: Layer4 timeout, info: " at step 1 of tcp-check", check duration: 5001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue
the Frontend cfg section is as follows (substituting IPs with xxx)
frontend ft_exchange_2016_smtp
option contstats
no option http-server-close
timeout client 1m
log global
option tcplog
bind xxx.xxx.xxx.xxx:25
mode tcp
default_backend bk_exchange_2016_smtp
backend bk_exchange_2016_smtp
option tcp-check
tcp-check expect string 220
option redispatch
balance leastconn
mode tcp
log global
default-server inter 5s rise 2 fall 3
server server1 server1.FQDN:25 weight 10 check
server server2 server2.FQDN:25 weight 10 check
server server3 server3.FQDN:25 weight 10 check
We are able to connect to the above servers with TLS1.2 using OpenSSL, so not sure why the backend servers go down everytime we add that notlsv11 option.
Do we need to match add ssl-default-server-options to match the bind options?
3 posts - 2 participants