You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This page gives an outline of how to build HAProxy with OpenSSL so it can use TLS v1.3 (at the time of writing still an IETF draft). Since the draft is still a work in progress as is the implementation of TLS 1.3 some stability issues should be expected. It assumes Ubuntu 16.04 as the platform. 

Build Openssl

In order to have TLS 1.3 support you will need to grab a development version of OpenSSL (i.e. 1.1.1) . The instructions below use the master branch (at commit 8f26f9d5811f0d4faa7d0763e0481a434a9ddc5a), it might be worth checking the OpenSSL repo for more stable branches of 1.1.1, or ones called "tls1.3-draft-XX".

Build OpenSSL
git clone git://git.openssl.org/openssl.git
cd openssl
./config enable-tls1_3 shared
make
sudo make install

Edit the local.conf file so HAProxy can link to this version of OpenSSL.

sudo vi /etc/ld.so.conf.d/local.conf
# Add a line containing "/usr/local/lib"
sudo ldconfig


Build HAProxy

You need HAProxy 1.8.1 or later to enable TLS 1.3 support.

Build haproxy
sudo apt install make build-essential


wget http://www.haproxy.org/download/1.8/src/haproxy-1.8.1.tar.gz
tar -xzf haproxy-1.8.1.tar.gz
cd haproxy-1.8.1/
make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 CFLAGS=" -g -I/usr/local/include" LDFLAGS=-L/usr/local/lib
sudo make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 CFLAGS=" -g -I/usr/local/include" LDFLAGS=-L/usr/local/lib install

Modify the HAProxy configuration

Add the following to the HAProxy config (Note the ssl-default-bind-ciphers and ssl-default-bind-options lines), updating any paths as required.

If you only want TLSv1.3 with no fallback to TLSv1.2 then set ssl-default-bind-options to force-tlsv13

global
        log /dev/log    local0
        chroot /usr/local/var/lib/haproxy
        user haproxy
        group haproxy
        maxconn  4000
        pidfile  /usr/local/var/run/haproxy.pid
        tune.ssl.default-dh-param  2048
        ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

defaults
        balance roundrobin
        timeout  http-request 10s
        timeout  queue 1m
        timeout  connect 10s
        timeout  client 1m
        timeout  server 1m
        timeout  check 10s

listen dns
        bind :::853 v4v6 tfo ssl crt /etc/certs/keycert.pem
        mode tcp
        server server1 127.0.0.1:9999

Note the keycert.pem file is the concatenation of  the certificate chain and key into one file which is what HAProxy requires.

  • No labels