> On Jul 3, 2020, at 7:17 PM, Henry Bonath <he...@thebonaths.com> wrote: > > Daniel, > > Thanks for taking the time to test this out. > I just reloaded a test machine from scratch with -current and > installed the HAProxy 2.0.15-4f39279 package. > I loaded a very basic config file, and am also seeing the same exact > issue on this one as well. > Very strange that you are not - > Would you mind sharing any additional details of your config file? > Is there anything special about the certificate you have on the backend > server? > > I would love to understand what is going on here and what the > difference is with my experience. > >> On Thu, Jul 2, 2020 at 4:38 PM Daniel Jakots <d...@chown.me> wrote: >> >> On Thu, 2 Jul 2020 14:00:48 -0400, Henry Bonath <he...@thebonaths.com> >> wrote: >> >>> Note the missing Client Hello on the 6.7 machine as it jumps to >>> Application Data straight away. >>> Configuration files for HAProxy are identical on both systems. >>> >>> I'm currently spinning up a machine on -CURRENT just to see if there >>> is any difference, >>> as there is a newer version of HAProxy in packages under Snapshots. >>> >>> I was initially going to try to reach out to the package maintainer >>> for HAProxy but if this is happening in Relayd, then this "feels >>> like" a de-facto bug. I wonder if NGINX would exhibit the same >>> behavior. >>> >>> Has anyone else experienced such behavior with Load-Balancing TLS >>> Backends since upgrading to 6.7? >> >> I don't use TLS for my backend (the only backend I use nowadays is on >> localhost) so I can't speak for 6.7 (I only use -current, and when >> -current was 6.7, I didn't test that). >> >> I just tested my -current haproxy using another -current host of mine >> running nginx as a backend with TLS and it worked fine. >> >> backend https >> option forwardfor >> server web1 ln.chown.me:443 check ssl verify none >> >> and also with "verify required ca-file /etc/ssl/cert.pem" >> >> >> Maybe some libressl fix happened on -current was not deemed critical >> enough to be backported to 6.7? >> >> Cheers, >> Daniel >
This thread is conflating two issues: 1) Henry’s original relayd.conf is wrong. Notice the TLS connection attempt to port 80 in his relayd logs. This will never work. See my email regarding two relays required. 2) There was conversation about a compatibility issue with LibreSSL in 6.7 release. Check the archives.
