Haproxy Reverse proxy to old machine with old cipher
-
Hello
With pfSense 2.7.0, I was able to use haproxy, to reverse proxy port 443 (fax.mydomain.com) to a Multitech FaxFinder FF130 device.
after update pfSense to 2.7.1 (also 2.7.2), it doen't work anymore, I guess because of old ssl / tls /cipher.
If I try to access dirent to the machine, I get this error - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
I guees I need to add some parameters to "Advanced ssl options", or "Advanced certificate specific ssl options" in the front end?
Anyway, Please help.
-Roei
-
@braunerroei Create new SSL certificate and key with the recommended settings (RSA 4096, SHA 385). Many guides exist for that kind of thing. If you need a public cert and have a domain name of your own, install and try the ACME package.
-
Hello
Thank you for the reply.
I do have a domain and a valid certificate, created by ACME package (Let's Encrypt).
As I said, it was working with v 2.7.0 and not working anymore with 2.7.2.
-Roei
-
-
@braunerroei New cert:
-
@braunerroei so your doing
internet ---> ha proxy on pfsense (SSL cert X) ----> your device (ssl cert Y) ?
And ha proxy is giving you the warning about cert Y?
I just let ha proxy do ssl offload, and don't run certs on my destination service...
-
@NightlyShark
Thank you NightlyShark, but setting are already like you suggested.I get "503 Service Unavailable - No server is available to handle this request."
-
@braunerroei
Thank you "johnpoz".This is just the way it is, but no working.
As I said before, It was working with 2.7.0, that means, the configuration is good.-Roei
-
@braunerroei so which is - you get a 503 via haproxy - and then this error if you try to directly access the machine without going through ha proxy?
ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
-
@johnpoz
Yep... -
@braunerroei Well if you are directly connecting to the machine, and not going through ha proxy - how is it a pfsense thing?
In your browser can't you view the cert that was presented.. normally with such errors there is advanced button, view cert, etc.
And if there is some error that even your browser is complaining about - I would expect haproxy to have same sort of issue with the cert.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@johnpoz Hi again! Could it be something about the upgrade to openssl 3 again?
-
@johnpoz
Hello:
via HAProxy (fax.mydomain.com)- "503 Service Unavailable - No server is available to handle this request"Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
-Roei
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Which has ZERO to do with pfsense - ZERO.. You don't go through pfsense if your directly accessing the machine, so no it wouldn't have anything to do with pfsense updating to openssl..
But yeah if you have something going on with it, then makes sense that haproxy would also complain. Fix it so your direct machine can access it.. And your haproxy issue most likely will be fixed as well.
-
@NightlyShark said in Haproxy Reverse proxy to old machine with old cipher:
openssl 3
I guess it is related to openssl 3.
-Roei
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
I guess it is related to openssl 3.
Not on pfsense it isn't - because when you access it direct and your seeing this error.. Pfsense isn't involved at all.. Maybe if you updated openssl on this device that is hosting your service?
-
I know, that direct access has nothing to do with pfSense.
I just sent the error code, in order to understand the issue, whilr direct access.
The device is multitech fax finder FF130, I don't think I can update the openssl.
-Roei
-
@braunerroei if direct access isn't working why would you think it should work through haproxy?
Like saying my car wont start when I sit in and turn the key.. But there is something wrong with my remote start because that isn't working ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@braunerroei Wait, you were not performing SSL offloading? ... You had HAProxy in TCP mode? ... Then ... the cert you configure for HAProxy via ACME does nothing... Like it doesn't exist
-
@johnpoz Still won't let me upvote you further... Damn rules...
