Haproxy, openssl 1.1 and ECDSA certs

@darix wrote:

After upgrading my haproxy machine to the beta of openSUSE Leap 15.0 ssl connections did not work anymore. A lot of debugging and testing later, I did a rebuild with openssl 1.0 and it all started working again.
Also RSA certificates were just working. If you have similar issues you might also run into:

The workaround for me was to configure the same curve as used in my SSL cert.

$ openssl x509 -noout -text -in /path/to/cert.pem | grep -B1 'NIST CURVE'
                ASN1 OID: secp384r1 <-
                NIST CURVE: P-384

Then add the curves parameter to your bind line:

bind 0.0.0.0:443   tfo ssl alpn h2,http/1.1 npn h2,http/1.1 crt /path/to/certs/ curves secp384r1
bind :::443 v6only tfo ssl alpn h2,http/1.1 npn h2,http/1.1 crt /path/to/certs/ curves secp384r1

Of course this workaround only works if all your certs use the same curve. Or you will have to do different bind statements for each certificate.

Posts: 1

Participants: 1

Read full topic