Я пытаюсь настроить конфигурацию в HAProxy, связывая один порт с протоколами TLS и SSLv3.
Я пробовал эти настройки отдельно (я не использую 3 инструкции связывания в одном интерфейсе):
# Ciphers : AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
bind *:5000 ssl crt /home/user/crt/certificate.pem
bind *:5000 ssl crt /home/user/crt/certificate.pem force-sslv3 force-tlsv10
bind *:5000 ssl crt /home/user/crt/certificate.pem ssl-min-ver SSLv3 ssl-max-ver TLSv1.0
Но пока работает только TLSv1.0. Однако как только я отказываюсь от поддержки TLSv1.0 (ie. Я использую только force-sslv3 или ssl-max-ver SSLv3), SSLv3 отлично работает с тем же сертификатом.
Я использую openssl для тестирования своих конфигурация:
openssl s_client -connect server:ip -ssl3
CONNECTED(00000003)
139657675302816:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
139657675302816:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1590687931
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Я что-то упустил? Вот моя версия openssl и моя версия haproxy:
openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
haproxy -vv
HA-Proxy version 1.8.23 2019/11/25
Copyright 2000-2019 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-null-dereference -Wno-unused-label -Wno-stringop-overflow
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Заранее спасибо!