Hi Willy, I'm not sure how to document this leak. I don't know exactly how is implemented the firewall SSL health check... Would the Wireshark trace be enough to report the issue?
Thanks! -- Georges-Etienne On Tue, Feb 3, 2015 at 5:52 PM, Willy Tarreau <w...@1wt.eu> wrote: > Hi Georges-Etienne, > > On Tue, Feb 03, 2015 at 08:09:15AM -0500, Georges-Etienne Legendre wrote: > > Hi Willy, > > > > Thanks a lot for this investigation, it was really helpful. > > > > My OpenSSL is up-to-date on this server. I first tried to remove the > chroot > > statement. I'm pretty sure this in itself solved the leak, but I no > longer > > have the traces and couple of hours after, our Ops changed the SSL check > to > > a simple TCP check on port 443. So, I cannot confirm 100%. > > > > I can however confirm that I no longer experience the leak. I put back > the > > chroot command to be safer. > > OK that's great. > > > This also prompted me to tweak the SSL ciphers. I now use a more > thoughtful > > list of ciphers ( > > https://mozilla.github.io/server-side-tls/ssl-config-generator/) and > > disabled SSLv3. This indeed disables KRB5. > > > > ssl-default-bind-ciphers > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ssl-default-bind-options no-sslv3 > > Wow! When we introduced SSL, I expected that a lot of difficulties > would come from it, but not that the ugliest config statements would > come with it as well :-) > > > I will keep a close eye on the memory usage... HAproxy has been running > for > > about 16 hours now, and here is the ps output: > > # ps -u nobody u > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > > nobody 63985 0.5 0.0 53868 10960 ? Ss Feb02 5:19 > > /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid > > > > Looks good :-) > > Yes indeed. Now I think it will really be important to report this leak > to whomever it concerns (probably the distro vendor so that they decide > whether it's in their own patches or in openssl upstream). My openssl > version doesn't have krb5 and I have never understood what is needed to > enable it nor what it provides. Crypto libs tend to be cryptic ... > > Willy > >
