Using pgsql-check with TLS results in 'SSL handshake failure'

I’m trying to use the pgsql-check for checking my postgres node backends. They provide SSL endpoints only. My configuration looks like this:

global
  # Default SSL material locations
  ca-base /usr/local/etc/haproxy/ca
  crt-base /usr/local/etc/haproxy/cert

  ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
  ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DSS

  ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DSS

  ssl-server-verify none

  tune.ssl.default-dh-param 2048
  tune.h2.initial-window-size 1048576 # https://www.haproxy.com/documentation/hapee/1-8r1/traffic-management/enable-http2-protocol/

defaults
  log global
  mode http
  option httpchk GET /

  timeout connect 5000
  timeout client  30000
  timeout server  30000
  default-server init-addr libc,none

listen postgres
  bind *:5432
  balance roundrobin
  option pgsql-check user myuser

  server db_1 qa-db-1:5432 check inter 10s fastinter 2s downinter 60s fall 3 rise 10 ssl verify required ca-file my-ca.crt
  server db_2 qa-db-2:5432 check inter 10s fastinter 2s downinter 60s fall 3 rise 10 ssl verify required ca-file my-ca.crt backup

The checks fail with the following log output:

[NOTICE]   (8) : New worker #1 (10) forked
[WARNING]  (10) : Server postgres/db_1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 6ms. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING]  (10) : Backup Server postgres/db_2 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 11ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[NOTICE]   (10) : haproxy version is 2.4.1-1ce7d49
[ALERT]    (10) : proxy 'postgres' has no server available!

Checking the postgres log shows:

2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] LOG:  could not accept SSL connection: no suitable signature algorithm
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  SSL connection from "(anonymous)"
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  shmem_exit(0): 0 before_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  shmem_exit(0): 0 on_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  proc_exit(0): 1 callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  exit(0)
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  shmem_exit(-1): 0 before_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  shmem_exit(-1): 0 on_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG:  proc_exit(-1): 0 callbacks to make

Manually executing the ssl handshake works fine:

# echo "" | openssl s_client -starttls postgres -CAfile /etc/haproxy/ca/my-ca.crt  -connect 10.0.101.6:5432 -showcerts
CONNECTED(00000003)
Can't use SSL_get_servername
[…]
verify return:1
---
Certificate chain
[…]
---
No client certificate CA names sent
Peer signature type: Ed25519
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1042 bytes and written 687 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 253 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Am I doing something wrong here or could anyone give me a hint how to troubleshoot this, please? HAProxy version that I’m using is 2.4.1-1ce7d49.

3 posts - 2 participants

Read full topic