Query regarding HAProxy and OpenSSL - Help! - HAProxy community

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

会开车的煎饼 · 世界上最悲催的内陆国，离大海只差2公里· 5 天前 ·

没有腹肌的地瓜 · 风采||百年电车见证祖国繁荣，不忘初心一路与 ...· 2 月前 ·

茫然的木瓜 · 研究机构-西安航空学院· 3 月前 ·

玩足球的企鹅 · qtablewidget降序排序 - CSDN文库· 3 月前 ·

强健的冰淇淋 · 西潼高速豁口收费站已于21日正式通车运营_手 ...· 4 月前 ·

Experts looking for some authentic answer on Haproxy and OpenSSL.

• What is the most recent version of HAProxy that will work with OpenSSL 1.0.2 (or close to that version at version).

• What is the oldest version of OpenSSL that works with the newest version of HAProxy.

Appreciate any quick response on that.

Thanks

All current stable releases as well as the development tree support openssl-1.0.2 and will do for a long time. There are no plans to drop OpenSSL 1.0.2 support. If it doesn’t build, it’s a bug that will be fixed.

Haproxy 1.8 and later support both OpenSSL 1.1.0 and 1.1.1. Haproxy 1.8.15 will introduce a new options to configure TLSv1.3 ciphers, but that doesn’t mean older 1.8 releases can’t be used for OpenSSL 1.1.1 and TLSv1.3, it’s just that the TLSv1.3 ciphersuites are not configurable within haproxy.

Hey Lukas,

Appreciate your response. We are planning to use our own FIPS module with HAproxy. For that we have so far tested the integration using OpenSSL 1.0.2.

So most probably we planning to use OpenSSL 1.0.2 with latest Haproxy version i-e 1.8. So again to reconfirm the latest Haproxy 1.8 (latest stable) has support for OpenSSL 1.0.2? and what is the lowest OpenSSL version has support with latest HAproxy version(stable).

Thanks

Reconfirming, OpenSSL 1.0.2 works fine with Haproxy 1.8.

Even OpenSSL 0.9.8 still works with Haproxy 1.8:

lukas@dev:~/haproxy-1.8$ ./haproxy  -vv
HA-Proxy version 1.8.14-a873c1-41 2018/10/29
Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_OPENSSL=1
Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 0.9.8zg 11 Jun 2015
Running on OpenSSL version : OpenSSL 0.9.8zg 11 Jun 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built without PCRE or PCRE2 support (using libc's regex instead)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.
Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace
lukas@dev:~/haproxy-1.8$
If you are developing a new openssl module, I would suggest you do that with OpenSSL 1.1.1 instead though. Upstream OpenSSL will drop support for OpenSSL 1.0.2 in about a year:
https://www.openssl.org/policies/releasestrat.html
OpenSSL 1.1.1 is where you want to base your development effort on.
              Hey @lukastribus thanks again for your response. I’ll convey this to our development team.
Cheers