Welcome! Log In Create A New Profile

Advanced

[Patch&BUG] multiple key type bundles are not loaded correctly in certain cases

Posted by Michael Wimmesberger 
Hi,

while preparing to use multi-keytype bundles for my company's
domains, I found the following two issues:


1.) When loading bundles with .rsa and/or .ecdsa extension fails,
haproxy neither exits nor prints alerts. This behavior differs from
failing while loading normal bundles. I think this is because of a
missing "cfgerr +=" in method ssl_sock_load_cert() on line 3478
of file src/ssl_sock.c (version 1.8.13).

proposed patch, line 3478:
replace
ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err);
with
cfgerr += ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err);


2.) When using the global option 'ssl-dh-param-file' in haproxy.cfg,
it is possible that openssl fails to load a chain. These kind of
errors do not occur when using a dh-params block in the bundle file
instead of the global option in haproxy.cfg.

In src/ssl_sock.c the function ssl_sock_load_crt_file_into_ckch() is
called while loading the bundles. The while loop on line 2847 (version
1.8.13) fails to load the bundle because openssl fails with:
"error:0200100E:system library:fopen:Bad address"
(This would be the openssl error message at this stage, would haproxy
convert the return value to string with ERR_error_string)

As a workaround I will disable ssl-dh-param-file and add them to each
bundle in a dh-params block.

I am using:
Haproxy version: 1.8.12/1.8.13 (from ppa:vbernat/haproxy-1.8)
OS: Ubuntu 18.04
OpenSSL: 1.1.0h

example haproxy.cfg (bare minimum to get the ssl errors):
global
  ssl-dh-param-file /haproxy-path/dh-params-2048.pem
  tune.ssl.default-dh-param 2048 # not essential for error reproduction
frontend https_in
  bind 0.0.0.0:443 ssl crt /haproxy-path/bundles/
  timeout client 1m

To setup an environment to reproduce the error, I included the bash
script 'make_bundles.sh' (see attachment) which creates a dh-params-2048.pem
file and a directory named 'cert' containing 20 copies of a bundle.
If you then start haproxy with these configs, it will fail (after applying
the patch regarding the first point -- ssl_sock_load_multi_cert).


cheers,
Michael
Attachments:
open | download - make-bundles.sh (840 bytes)
Hi Michael,

On Thu, Aug 02, 2018 at 03:48:13PM +0200, Michael Wimmesberger wrote:
> Hi,
>
> while preparing to use multi-keytype bundles for my company's
> domains, I found the following two issues:
(...)

Thanks for reporting these issues. I'm CCing Emeric who's currently
in vacation and will be back soon. I prefer that he double-checks
the implications of these modifications and/or proposes some extra
solutions. While I'd suspect your first proposed change is right, he
might have a use case in mind that we don't want to break (and this
code is quite tricky).

Thanks!
Willy
Hi Willy, Michael,

On 08/02/2018 06:03 PM, Willy Tarreau wrote:
> Hi Michael,
>
> On Thu, Aug 02, 2018 at 03:48:13PM +0200, Michael Wimmesberger wrote:
>> Hi,
>>
>> while preparing to use multi-keytype bundles for my company's
>> domains, I found the following two issues:
> (...)
>
> Thanks for reporting these issues. I'm CCing Emeric who's currently
> in vacation and will be back soon. I prefer that he double-checks
> the implications of these modifications and/or proposes some extra
> solutions. While I'd suspect your first proposed change is right, he
> might have a use case in mind that we don't want to break (and this
> code is quite tricky).
>
> Thanks!
> Willy
>

Here two patches which should fix the issues.


Thanks you for the debug scripts Michael and your informations. It was very useful.


R,
Emeric
On Thu, Aug 16, 2018 at 03:25:57PM +0200, Emeric Brun wrote:
> Here two patches which should fix the issues.

Applied, thanks guys.

Willy
Sorry, only registered users may post in this forum.

Click here to login