This page gives an outline of how to build HAProxy with OpenSSL so it can use TLS v1.3 (at the time of writing still an IETF draft). Since the draft is still a work in progress as is the implementation of TLS 1.3 some stability issues should be expected. It assumes Ubuntu 16.04 as the platform.
In order to have TLS 1.3 support you will need to grab a development version of OpenSSL (i.e. 1.1.1) . The instructions below use the master branch (at commit 3e524bf2d1748), it might be worth checking the OpenSSL repo for more stable branches of 1.1.1, or ones called "tls1.3-draft-XX".
These instructions build OpenSSL into a directory
/opt/openssl-master to ensure that it's separate to any other OpenSSL installs on the machine.
You need HAProxy 1.8.1 or later to enable TLS 1.3 support. We are using 1.8.3.
Modify the HAProxy configuration
Add the following to the HAProxy config (Note the ssl-default-bind-ciphers and ssl-default-bind-options lines), updating any paths as required.
If you only want TLSv1.3 with no fallback to TLSv1.2 then set ssl-default-bind-options to force-tlsv13
Note the keycert.pem file is the concatenation of the certificate chain and key into one file which is what HAProxy requires.
Create required paths
The above configuration sets HAProxy to run chroot in a directory
/usr/local/var/lib/haproxy. It's necessary to create this directory. OpenSSL also needs access to
/dev/random in the chroot.