Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1509139

Summary: RFE to Built HA-Proxy on lastest version of OpenSSL
Product: Red Hat Enterprise Linux 7 Reporter: Yogita <ysoni>
Component: haproxyAssignee: Ryan O'Hara <rohara>
Status: CLOSED ERRATA QA Contact: Brandon Perkins <bperkins>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: aherr, carlwgeorge, cfeist
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: haproxy-1.5.18-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 19:02:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yogita 2017-11-03 07:45:32 UTC 
Description of problem:

Customer wants HA-Proxy(haproxy-1.5.18-6.el7.x86_64) RPM built against the current version of OpenSSL,openssl-1.0.2k-8.

Version-Release number of selected component (if applicable):
haproxy-1.5.18-6.el7.x86_64
openssl-1.0.2k-8.el7.x86_64

How reproducible:

haproxy-1.5.18-6 RPM has been built against an older version of OpenSSL (OpenSSL 1.0.1e-fips):

> # openssl version
> OpenSSL 1.0.2k-fips  26 Jan 2017
> 
> # haproxy -vv
> ...
> Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013

The OpenSSL 1.0.1x-branch does not provide ALPN whilst the 1.0.2x branch does.  Customer require HA-Proxy to be built against the 1.0.2x branch so that HA-Proxy will support ALPN.  ALPN is now required for HTTP2 Web services as most major browsers are removing support for SPDY and/or NPN in favour of ALPN.  This was a major problem in RHEL 7.3 and previous as the 1.0.1x-branch of OpenSSL provided did not offer ALPN but with RHEL 7.4 now providing openssl-1.0.2x:

"The OpenSSL update includes ... support for ... Application-Layer Protocol Negotiation (ALPN). "

[ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/chap-red_hat_enterprise_linux-7.4_release_notes-overview ]

As a starting point this is great but Customer still cannot process HTTP2 ALPN requests via HA-Proxy as current haproxy-1.5.18-6 has been built against the older branch of OpenSSL - against OpenSSL 1.0.1e-fips - and therefore has no ALPN support.
Comment 3 Ryan O'Hara 2017-11-28 22:28:04 UTC 
This just requires a rebuild. At the moment, haproxy is not scheduled to get an update in RHEL7.5, but I will try to squeeze it in.
Comment 4 Ryan O'Hara 2017-11-30 15:23:03 UTC 
Quick test.

# rpm -q haproxy
haproxy-1.5.18-6.el7.x86_64

# haproxy -vv|grep OpenSSL
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

New build.

# rpm -q haproxy
haproxy-1.5.18-7.el7.x86_64

# haproxy -vv|grep OpenSSL
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Comment 9 errata-xmlrpc 2018-04-10 19:02:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1024