[Patch&BUG] multiple key type bundles are not loaded correctly in certain cases

Thu, 02 Aug 2018 06:49:31 -0700 

Hi,

while preparing to use multi-keytype bundles for my company's
domains, I found the following two issues:


1.) When loading bundles with .rsa and/or .ecdsa extension fails,
haproxy neither exits nor prints alerts. This behavior differs from
failing while loading normal bundles. I think this is because of a
missing "cfgerr +=" in method ssl_sock_load_cert() on line 3478
of file src/ssl_sock.c (version 1.8.13).

proposed patch, line 3478:
replace
ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err);
with
cfgerr += ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err);


2.) When using the global option 'ssl-dh-param-file' in haproxy.cfg,
it is possible that openssl fails to load a chain. These kind of
errors do not occur when using a dh-params block in the bundle file
instead of the global option in haproxy.cfg.

In src/ssl_sock.c the function ssl_sock_load_crt_file_into_ckch() is
called while loading the bundles. The while loop on line 2847 (version
1.8.13) fails to load the bundle because openssl fails with:
"error:0200100E:system library:fopen:Bad address"
(This would be the openssl error message at this stage, would haproxy
convert the return value to string with ERR_error_string)

As a workaround I will disable ssl-dh-param-file and add them to each
bundle in a dh-params block.

I am using:
Haproxy version: 1.8.12/1.8.13 (from ppa:vbernat/haproxy-1.8)
OS: Ubuntu 18.04
OpenSSL: 1.1.0h

example haproxy.cfg (bare minimum to get the ssl errors):
global
  ssl-dh-param-file /haproxy-path/dh-params-2048.pem
  tune.ssl.default-dh-param 2048 # not essential for error reproduction
frontend https_in
  bind 0.0.0.0:443 ssl crt /haproxy-path/bundles/
  timeout client 1m

To setup an environment to reproduce the error, I included the bash
script 'make_bundles.sh' (see attachment) which creates a dh-params-2048.pem
file and a directory named 'cert' containing 20 copies of a bundle.
If you then start haproxy with these configs, it will fail (after applying
the patch regarding the first point -- ssl_sock_load_multi_cert).


cheers,
Michael

Attachment: make-bundles.sh
Description: application/shellscript

Reply via email to