haproxy tls alert decrypt error

Question

I'm using haproxy 1.8.17 and openssl 1.1.1a from Debian testing to serve TLS 1.2 connections with client authentication.

In wireshark I observe the usual TLS messages:

client->server: Client Hello
server->client: Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
client->server: Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

Now HAProxy answers with: Alert (Level: Fatal, Description: Decrypt Error)

So my question is: what can cause this type of error?

RFC5246: "A handshake cryptographic operation failed, including being unable to correctly verify a signature or validate a Finished message. This message is always fatal." — C.Scharfenberg, Jan 22 '19 at 10:33

C.Scharfenberg · Answer 1 · 2019-01-25T12:54:23.017

0

In this case the cause of the error is very simple: I've used the wrong CA cert in the haproxy config.

edited Jan 25 '19 at 12:54

answered Jan 25 '19 at 10:45

C.Scharfenberg

1 Answers1