2021-05-06 update: At the time of writing this article, I thought the lack of TLSv1.3 support was due to the missing API in LibreSSL, but in fact LibreSSL didn't even support TLSv1.3 on server-side until version 3.2.0 was released (later than OpenBSD 6.7 was released). See the release notes for details. On OpenBSD 6.9, the pre-built HAProxy package supports TLSv1.3.
OpenBSD 6.7 was released on 2020-05-19. I upgraded one of my servers from OpenBSD 6.6 to OpenBSD 6.7 that night.
Before the OpenBSD 6.7 was available, I already noticed that the HAProxy package has been upgraded from 1.9 to 2.0 in the ports tree. So after upgrading the OS, I upgraded the installed packages (including HAProxy) by:
pkg_add -u
TLS 1.3
Once I have upgraded the HAProxy installed on my server, I used the Mozilla SSL Configuration Generator to generate a "Modern" configuration. Part of the generated configuration looked like this:
global
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
I immediately noticed something "wrong". On OpenBSD 6.7, the pre-built HAProxy says the following TLS versions are supported:
# haproxy -vv | grep TLSv
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Compared to the pre-built HAProxy on Alpine Linux 3.11:
# haproxy -vv | grep TLSv
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
The output above shows that the pre-built HAProxy on OpenBSD 6.7 does not support TLSv1.3 (while the one on Alpine Linux 3.11 does). So the configuration generated by Mozilla SSL Configuration Generator effectively disables all SSL/ TLS versions. In fact, I tried to apply the configuration and let HAProxy check it:
# haproxy -c -f haproxy.cfg.new
...
[ALERT] 140/031748 (28829) : Proxy 'frontend-01': all SSL/TLS versions are disabled for bind ':443' at [/etc/haproxy/haproxy.cfg.new:17].
...
[ALERT] 140/031748 (28829) : Fatal errors found in configuration.
...
In addition, the ssl-default-bind-ciphersuites setting does not work in HAProxy on OpenBSD 6.7. From the HAProxy Documentation:
This setting is only available when support for OpenSSL was built in and OpenSSL 1.1.1 or later was used to build HAProxy.
HAProxy on OpenBSD 6.7 is built with LibreSSL 3.1.1 and the TLS 1.3 API is not available at the moment. From the release notes of LibreSSL 3.1.1:
Note that the OpenSSL TLS 1.3 API is not yet visible/available.
Hopefully the API will be ready by the time when OpenBSD 6.8 is released.
Bonus
On OpenBSD 6.6, the pre-built HAProxy does not support compression:
# haproxy -vv | grep Compression
Compression algorithms supported : identity("identity")
According to the HAProxy Documentation:
Identity does not apply any change on data.
Luckily, on OpenBSD 6.7, the pre-built HAProxy comes with compression support:
# haproxy -vv | grep Compression
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
That means I can enable compression in HAProxy with the following line:
compression algo gzip
Also note that reqrep has been deprecated. From the HAProxy Documentation:
Using "reqadd"/"reqdel"/"reqrep" to manipulate request headers is discouraged in newer versions (>= 1.5).
In HAProxy 2.0 (according to the release notes, starting from 2.0-dev4), error message will be printed if the directive is being used:
The 'reqrep' directive is deprecated in favor of 'http-request replace-uri', 'http-request replace-path', and 'http-request replace-header' and will be removed in next version.
References
For reference, this is the HAProxy's version and build options on OpenBSD 6.6:
HA-Proxy version 1.9.15 2020/04/02 - https://haproxy.org/
Build options :
TARGET = openbsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : LibreSSL 3.0.2
Running on OpenSSL version : LibreSSL 3.0.2
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: SO_BINDANY
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with PCRE version : 8.41 2017-07-05
Running on PCRE version : 8.41 2017-07-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE
h2 : mode=HTX side=FE|BE
<default> : mode=HTX side=FE|BE
<default> : mode=TCP|HTTP side=FE|BE
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
On OpenBSD 6.7:
HA-Proxy version 2.0.14 2020/04/02 - https://haproxy.org/
Build options :
TARGET = openbsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fno-strict-aliasing
OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
Feature list : -EPOLL +KQUEUE -MY_EPOLL -MY_SPLICE -NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY -LINUX_TPROXY -LINUX_SPLICE -LIBCRYPT -CRYPT_H -VSYSCALL -GETADDRINFO +OPENSSL -LUA -FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ -CPU_AFFINITY -TFO -NS -DL -RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER -PRCTL -THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : LibreSSL 3.1.1
Running on OpenSSL version : LibreSSL 3.1.1
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: SO_BINDANY
Built with zlib version : 1.2.3
Running on zlib version : 1.2.3
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.41 2017-07-05
Running on PCRE version : 8.41 2017-07-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE mux=H2
h2 : mode=HTX side=FE|BE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS
Available services : none
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
And some useful links:
- https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-ssl-default-bind-ciphers
- https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-ssl-default-bind-ciphersuites
- https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-compression%20algo
- https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-http-request
Oh, if you also like the work from the OpenBSD developers, please consider donating to the OpenBSD Foundation.
Top comments (0)