-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/19/15 22:43, Igor Cicimov wrote: > > On 20/11/2015 7:23 AM, "Piotr Kubaj" <pku...@riseup.net > <mailto:pku...@riseup.net>> wrote: >> >> On 11/19/2015 17:01, Janusz Dziemidowicz wrote: >>> 2015-11-19 15:45 GMT+01:00 Piotr Kubaj <pku...@riseup.net > <mailto:pku...@riseup.net>>: >>>> Now, about RSA vs ECDSA. I simply don't trust ECDSA. There >>>> are quite a lot of questions about constants used by ECDSA, >>>> which seem to be chosen quite arbitrarily by its creator, >>>> which happens to be NSA. These questions of course remain >>>> unanswered. Even respected scientists like Schneier say that >>>> RSA should be used instead (see >>>> > https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1 67 >> > >> 5929 >>> >>> But ECDSA itself does not contain any constants (see >>> > https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorit hm). >> > Yes, you have to choose domain parameters and most commonly used > are >>> NIST ones. But you can also use brainpool curves, which >>> specifically avoid using any arbitrary constants (see >>> http://www.ecc-brainpool.org/download/Domain-parameters.pdf) >>> and they are even defined for TLS >>> (https://tools.ietf.org/html/rfc7027) and apparently supported >>> by latest OpenSSL. Unfortunately not by anything else. OK, >>> anyway that's your preference, I'm not going to argue about > ECDSA or not;) >>> >>>> ). When I'm done setting my HTTP(S) services, I'll simply >>>> limit incoming connections connections on my firewall so >>>> DDOS'ing won't be possible, unless you DDOS my firewall :) >>> >>> I've never said anything about DDoS. In such setup there is no >>> need for distributed DoS. The CPU usage of RSA 8192 is so high >>> that a single shell script running on a single attack machine >>> can kill any server. If you are willing to limit your >>> connection rate on a firewall to a few per second, then fine;) >>> >>> As for your problem. Now that it seems like SSL problem, can >>> you just try with RSA 4096 or 2048? RSA 8192 is really not much >>> tested in most code, so maybe the problem is in fact related. >>> >> Unfortunately, accessing my HTTPS services by only OpenSSL is out >> of the question. Besides, I use LibreSSL and am not sure it >> supports it, since OpenBSD people got rid of quite a lot of >> unnecessary code. >> >> So I can only choose ECDSA or RSA. >> >> I don't think limiting my connections is a bad idea vs choosing >> weaker RSA. As I said before, I actually expect only a few >> connections at once. >> >> I've generated RSA 2048 cert with: openssl req -x509 -newkey >> rsa:2048 -keyout haproxy.pem -out haproxy.pem -days 3650 -nodes >> >> That is, I didn't use any non-default options, such as SHA512. >> Unfortunately, it doesn't yield any result. I'm now considering >> switching to SSL Pass-through, and configuring HTTPS in each of >> my WWW servers, it may be much quicker considering how long I've >> been getting Haproxy to work. >> > It might be something specific to BSD os causing issues for you > since I haven't heard of anyone complaining about ssl till now. You > can also try latest stable 1.5.15 since I can't see any 1.6 > specific feature in your config. > Unfortunately, using 1.5.15 didn't change anything. The logs are: Nov 20 10:23:51 anongoth haproxy[86788]: 46.248.161.165:57472 [20/Nov/2015:10:23:46.069] https-in~ owncloud/node1 4958/0/0/31/4989 200 319 - - ---- 12/6/1/2/0 0/0 "GET /core/css/images/ui-bg_flat_35_1d2d44_40x100.png HTTP/1.1" Nov 20 10:23:51 anongoth haproxy[86788]: 46.248.161.165:13241 [20/Nov/2015:10:23:46.075] https-in~ owncloud/node1 4958/0/1/24/4983 200 323 - - ---- 12/6/0/1/0 0/0 "GET /core/css/images/ui-bg_highlight-soft_100_eeeeee_1x100.png HTTP/1.1" Nov 20 10:23:58 anongoth haproxy[86788]: 46.248.161.165:57472 [20/Nov/2015:10:23:51.058] https-in~ owncloud/node1 6752/0/0/448/7221 200 862 - - ---- 12/6/1/2/0 0/0 "GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" Nov 20 10:24:23 anongoth haproxy[86788]: 46.248.161.165:13241 [20/Nov/2015:10:23:51.058] https-in~ owncloud/node1 31819/0/1/520/32362 200 862 - - ---- 12/6/2/3/0 0/0 "GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" Nov 20 10:24:43 anongoth haproxy[86788]: 46.248.161.165:13481 [20/Nov/2015:10:23:45.309] https-in~ owncloud/node1 5791/0/0/-1/58637 - -1 0 - - CD-- 2/2/2/2/0 0/0 "POST /index.php/apps/files/ajax/upload.php HTTP/1.1" Nov 20 10:25:11 anongoth haproxy[86788]: 46.248.161.165:57472 [20/Nov/2015:10:23:58.280] https-in~ owncloud/node1 14900/0/1/-1/73036 - -1 0 - - CD-- 1/1/1/1/0 0/0 "POST /index.php/apps/files/ajax/upload.php HTTP/1.1" Nov 20 10:28:21 anongoth haproxy[86788]: 46.248.161.165:45063 [20/Nov/2015:10:26:54.272] https-in~ owncloud/node1 58/0/1/-1/87092 504 194 - - sH-- 0/0/0/0/0 0/0 "POST /index.php/apps/files/ajax/upload.php HTTP/1.1" Nov 20 10:28:22 anongoth haproxy[86788]: 46.248.161.165:17696 [20/Nov/2015:10:28:21.697] https-in~ owncloud/node1 372/0/0/408/801 200 862 - - ---- 1/1/0/1/0 0/0 "GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWTunkAAoJEC9nKukRsfY+sXIQALycK4Q5QMZDkQrf1U+QxLDo ppWrxE2mH+UQ0hQN+qw24YYj29CmPeETyiHE/Ir/uUi8UQhDf1yfIIuaB5HmryFm QGfUwJUC8l+hXKItOelbcQ1ttQME89Zpfh7Y7TSy4SySR1Jk5WrHsQNEE1k71cPB K7Rx6jyIwVcU2D7cNd4aBomg2zDrCzsu8nJdaEVaLCUXP8VSVhRMO0EpPc3jxgxB 4VVQxlYhOCuDFozZYhwE6CaSNYsCVSvj245BbmOMwwDlP6v+ClsYsjRMgqy5AmzQ V5RH7COqnCIPs2gM4hCpyNYa0iZvTziaWd75jFZxfFaBvKT/JO8TNGZPCM1H/10K RFCy/8UYZ68LOUQxrn65M4Te+tzm0KIbrevj7m2ZRpNMb2hGzTJxLKk8wpSmiGpU ZWoyCFB7HDZtLdHkyyQIpIuiErKY2i97jS4mhSpBUHFqdzH6vd0hivQ8ergZMyzU hkON3QVlnqixg1UAFMSZueE8rJIQb55rra1bKg0eRA1Xjz2cROjQn6M+XRSAmMU3 svPe9dTfWjAaU3O4i7JslsuYTqs0teARTGCkKB3LJFg5/NfjWnRsWm/q+uYy1fGx nJNcA7j5Pq9Zf/pip3GcYlRk7km3eExYFcRNGjELFJRJDc0QKWZ2/mn3wQp/SsZP y5xZZ1iH0n9KtWBoAUKP =kHIj -----END PGP SIGNATURE-----