Hi,
>> root@debianvm:/home/lukas/haproxy-1.6.2# haproxy -f /home/lukas/ssl.cfg -c
>> [ALERT] 328/203304 (9873) : SSLv3 support requested but unavailable.
>> Configuration file is valid
>> root@debianvm:/home/lukas/haproxy-1.6.2# ./haproxy -f /home/lukas/ssl.cfg -c
>> Configuration file is valid
>> root@debianvm:/home/lukas/haproxy-1.6.2#
>>
>>
>> Vincent, can you take a look?
>
> After twiddling a bit around, it seems that enabling Lua support trigger
> this bug. This invocation does trigger the bug:
>
> make USE_OPENSSL=1 TARGET=linux2628 USE_LUA=1 LUA_INC=/usr/include/lua5.3
>
> While this one doesn't:
>
> make USE_OPENSSL=1 TARGET=linux2628
>
> I traced the problem back to the end of hlua.c (line 7058 for v1.6.2) :
>
>>>> print args
> $1 = {[0] = 0x4caee5 "ssl", [1] = 0x4b4ab4 "verify", [2] = 0x4b4fc1 "none",
> [3] = 0x4cad1a "force-sslv3", [4] = 0x0}
>
> Those args are defined line 6478. The "force-sslv3" should just be
> removed I think (or at least #ifdef).
In fact, just executing "haproxy -v" is enough to trigger this, no config
needed (because LUA initializes a SSL socket with force-sslv3 and
Debian 8 doesn't include SSLv3 at all).
So this appears to be needed for the connect_ssl() LUA call [1], but I'm
pretty sure its a bad idea to unconditionally force-sslv3 and disable
certificate verification, even if its 'just' LUA.
The force-sslv3 can (should) just be patched away, but the certificate
verification probably needs further discussion.
In the long-term we will have to make options (like no-sslv3, force-tlsv12),
ciphers and certificate verification options configurable for LUA, just as
we have today for bind and server. Or we could just reuse 'servers'
global default, as thats likely to match expectations and avoids that
people forget to "harden" LUA SSL security)?
Sander, I can't reproduce what you are saying about the actual SSL
configuration though; no-sslv3 no-tlsv10 no-tlsv11 works as expected
for me (only tlsv1.2 possible). Please double check (curl -kv --tlsv1.1
https://localhost).
You can ignore the error message about SSLv3 support for now
(unless you use LUA with SSL sockets, that will be broken on Debian 8,
because of the lack of SSLv3 support).
Will post a patch to remove the force-sslv3 option in the LUA
initialization.
Thanks,
Lukas
[1] http://www.arpalert.org/src/haproxy-lua-api/1.6/#socket-class
