Welcome! Log In Create A New Profile

Advanced

HAProxy multiple key type support - bug/feature (?) with DH parameters

Posted by Olivier Doucet 
Hello,
a few months ago I started using multiple key type support in HAProxy. It
means I have this in haproxy.cfg :
bind :443 ssl crt example.pem

And these files:
example.pem.rsa
example.pem.rsa.ocsp
example.pem.rsa.issuer
example.pem.ecdsa
example.pem.ecdsa.ocsp
example.pem.ecdsa.issuer
(see https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt)

It is working very well :)

I now need to handle specific DH parameters for a customer. Before, I used
to add a DH block in pem file and it was working ... But here, the block is
simply ignored, despite what is said in config :
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.2-tune.ssl.default-dh-param
"This value is not used if static Diffie-Hellman parameters are supplied
either directly in the certificate file or by using the ssl-dh-param-file
parameter"

I can confirm this behaviour happens only when certificate are loaded with
..rsa / .ecdsa extension : it is working if I rename example.pem.rsa to
example.pem

I tried to create a file example.pem.rsa.dh or example.pem.rsa.dhparam with
no luck (just tried those file names randomly :p).

Olivier
Hello,

I resume this mail from Olivier because I think I meet the same problem.
Like him, I need to use specific DH parameters. For this, I simply use the ability to add these DH parameters in the certificate file.
These DH parameters are well taken into account if I specify the exact path of the certificate, for example:
bind: 443 ssl crt certificate.pem.rsa

Then, I try to use the functionality described in the manual (https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt) which allows to create a certificate bundle if we don't specify the explicit suffix in the configuration:
bind: 443 ssl crt certificate.pem
In this case, the certificate is well used (certificate.pem.rsa, same file) but not its part containing the specific DH parameters. Indeed, if I do an SSL connection test (with testssl.sh for example), I observe that HAProxy uses its default DH parameters instead of using those of the file.

Of course, the goal is to be able to offer ECDSA certificates, but before going to this step, I would have to use specific DH parameters.

Regards,
Arnaud.

----- Mail original -----
> De: "Olivier Doucet" <[email protected]>
> À: "HAProxy" <[email protected]>
> Envoyé: Vendredi 23 Mars 2018 15:58:27
> Objet: HAProxy multiple key type support - bug/feature (?) with DH parameters

> Hello,
> a few months ago I started using multiple key type support in HAProxy. It
> means I have this in haproxy.cfg :
> bind :443 ssl crt example.pem
>
> And these files:
> example.pem.rsa
> example.pem.rsa.ocsp
> example.pem.rsa.issuer
> example.pem.ecdsa
> example.pem.ecdsa.ocsp
> example.pem.ecdsa.issuer
> (see https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt)
>
> It is working very well :)
>
> I now need to handle specific DH parameters for a customer. Before, I used
> to add a DH block in pem file and it was working ... But here, the block is
> simply ignored, despite what is said in config :
> https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.2-tune.ssl.default-dh-param
> "This value is not used if static Diffie-Hellman parameters are supplied
> either directly in the certificate file or by using the ssl-dh-param-file
> parameter"
>
> I can confirm this behaviour happens only when certificate are loaded with
> .rsa / .ecdsa extension : it is working if I rename example.pem.rsa to
> example.pem
>
> I tried to create a file example.pem.rsa.dh or example.pem.rsa.dhparam with
> no luck (just tried those file names randomly :p).
>
> Olivier

--
Université de Montpellier
Direction du Système d'Information et du Numérique
Service des Moyens Informatiques
Bureau réseaux, sécurité et téléphonie IP
Hello,

I allow myself to relaunch this email, can someone tell us if it's a bug or a configuration problem please?
I would like to use ECDSA certificates in addition to RSA but this problem is blocking me.

Regards,
Arnaud.


----- Mail original -----
> De: "Arnaud Gavara" <[email protected]>
> À: "haproxy" <[email protected]>
> Envoyé: Mercredi 2 Mai 2018 17:25:26
> Objet: Re: HAProxy multiple key type support - bug/feature (?) with DH parameters

> Hello,
>
> I resume this mail from Olivier because I think I meet the same problem.
> Like him, I need to use specific DH parameters. For this, I simply use the
> ability to add these DH parameters in the certificate file.
> These DH parameters are well taken into account if I specify the exact path of
> the certificate, for example:
> bind: 443 ssl crt certificate.pem.rsa
>
> Then, I try to use the functionality described in the manual
> (https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt) which
> allows to create a certificate bundle if we don't specify the explicit suffix
> in the configuration:
> bind: 443 ssl crt certificate.pem
> In this case, the certificate is well used (certificate.pem.rsa, same file) but
> not its part containing the specific DH parameters. Indeed, if I do an SSL
> connection test (with testssl.sh for example), I observe that HAProxy uses its
> default DH parameters instead of using those of the file.
>
> Of course, the goal is to be able to offer ECDSA certificates, but before going
> to this step, I would have to use specific DH parameters.
>
> Regards,
> Arnaud.
>
> ----- Mail original -----
>> De: "Olivier Doucet" <[email protected]>
>> À: "HAProxy" <[email protected]>
>> Envoyé: Vendredi 23 Mars 2018 15:58:27
>> Objet: HAProxy multiple key type support - bug/feature (?) with DH parameters
>
>> Hello,
>> a few months ago I started using multiple key type support in HAProxy. It
>> means I have this in haproxy.cfg :
>> bind :443 ssl crt example.pem
>>
>> And these files:
>> example.pem.rsa
>> example.pem.rsa.ocsp
>> example.pem.rsa.issuer
>> example.pem.ecdsa
>> example.pem.ecdsa.ocsp
>> example.pem.ecdsa.issuer
>> (see https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt)
>>
>> It is working very well :)
>>
>> I now need to handle specific DH parameters for a customer. Before, I used
>> to add a DH block in pem file and it was working ... But here, the block is
>> simply ignored, despite what is said in config :
>> https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.2-tune.ssl.default-dh-param
>> "This value is not used if static Diffie-Hellman parameters are supplied
>> either directly in the certificate file or by using the ssl-dh-param-file
>> parameter"
>>
>> I can confirm this behaviour happens only when certificate are loaded with
>> .rsa / .ecdsa extension : it is working if I rename example.pem.rsa to
>> example.pem
>>
>> I tried to create a file example.pem.rsa.dh or example.pem.rsa.dhparam with
>> no luck (just tried those file names randomly :p).
>>
>> Olivier
>
> --
> Université de Montpellier
> Direction du Système d'Information et du Numérique
> Service des Moyens Informatiques
> Bureau réseaux, sécurité et téléphonie IP

--
Université de Montpellier
Direction du Système d'Information et du Numérique
Service des Moyens Informatiques
Bureau réseaux, sécurité et téléphonie IP
Sorry, only registered users may post in this forum.

Click here to login