Bye, bye

2014-05-12 Thread 
We are sorry that you decided to opt-out.
We confirm that this email account haproxy@formilux.org has un-subscribed.

Re: patch proposal: ssl_c_cert

2014-05-12 Thread Jarno Huuskonen 
Hi Willy,

On Fri, May 09, Willy Tarreau wrote:
  This patch should be compatible with apache/mod_ssl
  (RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}s) 
  (newlines in the pem cert are replaced with space chars).
 
 I'm wondering whether there is a risk that this same cert could be used
 encoded differently. Eg, currently we have it in PEM and replace new lines
 with spaces, but would it make sense sometimes for example to hash it and
 just pass a hash or whatever ?

I don't know about hashes, but googling shows that there seems to
be quite few slightly different formats (some examples below).
 
 My question comes from the fact that we have sample converters and that
 in my opinion, the conversion to the PEM format is very simple (eg:
 add -BEGIN CERTIFICATE-\n, encode in base64 then END).
 
 Similarly we could have the PEM converter chose the delimiting character
 to be used. And BTW we already have the base64 converter, but I don't
 think it would provide any value here.
 
 So basically the output format could be built using this string :
 
 ssl_c_cert,pem(CERTIFICATE)
 
 With :
- ssl_c_cert outputting raw binary
- pem(type) being the PEM encoder (prepend the BEGIN and append
  the END line, encode in base64 each block of 48 bytes, and emit
  a spacexs)

This sounds reasonable. With this approach it should be fairly
easy to support other SSL_CLIENT_CERT header formats:
- just plain base64: ssl_c_cert,base64
- base64(pem): ssl_c_cert,pem(CERTIFICATE,\n),base64
(https://devcentral.f5.com/questions/irule-to-pass-client-ssl-cert-to-the-application-server-pool-member)
- pem encoded with newlines removed (pound compiled w/--enable-cert1l):
  ssl_c_cert,pem(CERTIFICATE) ?
- nginx seems to be changing how they output the cert 
(http://forum.nginx.org/read.php?29,249804,249848): 
ssl_c_cert,pem(CERTIFICATE,\r\n\t)
 
 An optional t argument to the pem encoder would emit tabs instead
 of spaces to be compatible with pound/nginx.

Apache adds space(' ') after -END CERTIFICATE- line, but
I think nginx/pound compat. output should not add anything after
-END CERTIFICATE- ?

So should the pem converter take third argument: end marker?
- so apache compat: ssl_c_cert,pem(CERTIFICATE,  ,  )
- nginx/pound: ssl_c_cert,pem(CERTIFICATE, \r\n\t)

I might have some time next week or so to try to do this.
Can you give some pointers (for example which functions I could use
to look for examples) ?

I assume that ssl_c_cert would fetch function (similar to my earlier
patch, but returning the cert in raw binary) and pem would be converter
(like sample_conv_bin2base64) ?

-Jarno
 
  (pound / nginx use different formatting for the cert:
  X-SSL-certificate: -BEGIN CERTIFICATE-
  \t...
  \t-END CERTIFICATE-).
  
  The code to replace newlines with spaces is not optimized. If there's a
  guarantee that openssl PEM_write_bio_X509 will always format the pem
  cert in same way(
  -BEGIN CERTIFICATE-
  MIIEoTCCA4mgAwIBAgIQIHCGEzfaVEFkF5d4JxstDTANBgkqhkiG9w0BAQUFADA2
  
  r8q5R89n4IPaS0DaE4I+/W15CPs/AUlkUh6vy2v+PY+WRlie6g==
  -END CERTIFICATE-) -- are the base64 encoded lines always 64chars
  (except the last line) ?
 
 We really cannot rely on this I think, it sounds quite dangerous. Also,
 the cost of translating new lines into spaces is low compared to computing
 the cert output!
 
  -- the loop could be optimized to start from pos 27 (end of BEGIN line)
  and jump 65 chars until end of last line.
 
 Well, at least the with pem converter described above you would get this
 for free :-)
 
  Is this something that could be included in haproxy ?
 
 Sure, I'm just trying to figure what would be the best way to do it so
 that we don't have to modify it in 6 months :-)

Re: [PATCH] Add a configurable support of standardized DH parameters = 1024 bits, disabled by default

2014-05-12 Thread Remi Gacogne 
Hi,

On 05/05/2014 12:06 PM, Sander Klein wrote:

 I've added a 2048bit dhparam to my most used certificates and I don't
 see a big jump in resource usage.
 
 This was not a big scientific test, I just added the DH params in my
 production and looked if the haproxy process started eating more CPU. As
 far as I can tell CPU usage went up just a couple percent. Not a very
 big deal.
 
 So, to me using 2048bit doesn't seem like a problem. And. I can
 always switch to nbproc  1 ;-)

Thank you Sander for taking the time to do this test! I am still not
sure it is a good idea to move a default of 2048 bits though.

Here is a new version of the previous patch that should not require
OpenSSL 0.9.8a to build, but instead includes the needed primes from
rfc2409 and rfc3526 if OpenSSL does not provide them. I have to admit I
don't have access to an host with an old enough OpenSSL to test it
correctly. It still defaults to use 1024 bits DHE parameters in order
not to break anything.

Willy, do you have any thoughts about this patch or any other way to
simplify the use of stronger DHE parameters in haproxy 1.5? I know it
can already be done by generating static DH parameters, but I am afraid
most administrators may find it too complicated and therefore not dare
to test it.

Best regards,

-- 
Rémi Gacogne

Aqua Ray
SAS au capital de 105.720 Euros
RCS Créteil 447 997 099
www.aquaray.fr

14, rue Jules Vanzuppe
94854 IVRY-SUR-SEINE CEDEX (France)
Tel : (+33) (0)1 84 04 04 05
Fax : (+33) (0)1 77 65 60 42
From b616a26f62e7a7eacd30d1ab1ff5a04539146539 Mon Sep 17 00:00:00 2001
From: Remi Gacogne rgacogne[at]aquaray[dot]fr
Date: Mon, 12 May 2014 18:07:15 +0200
Subject: [PATCH] Add the option to use standardized DH parameters = 1024 bits

When no static DH parameters are specified, this patch makes haproxy
use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts
of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the
temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server
key size and the value of a new option named tune.ssl.max-dh-param-size.
---
 doc/configuration.txt |  11 ++
 include/common/defaults.h |   5 +
 include/types/global.h|   1 +
 src/cfgparse.c|   8 ++
 src/haproxy.c |   1 +
 src/ssl_sock.c| 348 +-
 6 files changed, 336 insertions(+), 38 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 6da8b3e..7406dea 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -497,6 +497,7 @@ The following keywords are supported in the global section :
- tune.ssl.lifetime
- tune.ssl.force-private-cache
- tune.ssl.maxrecord
+   - tune.ssl.max-dh-param-size
- tune.zlib.memlevel
- tune.zlib.windowsize
 
@@ -1017,6 +1018,16 @@ tune.ssl.maxrecord number
   best value. Haproxy will automatically switch to this setting after an idle
   stream has been detected (see tune.idletimer above).
 
+tune.ssl.max-dh-param-size number
+  Sets the maximum size of the Diffie-Hellman parameters used for generating
+  the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
+  final size will try to match the size of the server's RSA (or DSA) key (e.g,
+  a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
+  this maximum value. Default value if 1024. Higher values will increase the
+  CPU load, and values greater than 1024 bits are not supported by Java 7 and
+  earlier clients. This value is not used if static Diffie-Hellman parameters
+  are supplied via the certificate file.
+
 tune.zlib.memlevel number
   Sets the memLevel parameter in zlib initialization for each session. It
   defines how much memory should be allocated for the internal compression
diff --git a/include/common/defaults.h b/include/common/defaults.h
index f765e90..944f3aa 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -214,4 +214,9 @@
 #define SSLCACHESIZE 2
 #endif
 
+/* ssl max dh param size */
+#ifndef SSL_MAX_DH_PARAM
+#define SSL_MAX_DH_PARAM 1024
+#endif
+
 #endif /* _COMMON_DEFAULTS_H */
diff --git a/include/types/global.h b/include/types/global.h
index c945f53..8470640 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -132,6 +132,7 @@ struct global {
 		int sslprivatecache; /* Force to use a private session cache even if nbproc  1 */
 		unsigned int ssllifetime;   /* SSL session lifetime in seconds */
 		unsigned int ssl_max_record; /* SSL max record size */
+		unsigned int ssl_max_dh_param; /* SSL maximum DH parameter size */
 #endif
 #ifdef USE_ZLIB
 		int zlibmemlevel;/* zlib memlevel */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index decdcfd..d2e0191 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -633,6 +633,14 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 		}
 		global.tune.ssl_max_record = atol(args[1]);
 	}
+	else if (!strcmp(args[0],

Medical Skills and Training Blog

2014-05-12 Thread Paula Fiske 
Hi,

My name is Paula Fiske and I run Paramedic to RN a site dedicated to 
medical education and resources. I created a list of 100 resources for 
paramedics. My list includes sites on advanced cardiac life support, airway 
management, burn management, fracture  spinal injury management, triage, 
routine 
treatment  other topics. You can see the list at 
http://www.paramedictorn.org/essential-skills-guide.html

If you do not mind taking a look at my article and if you are 
interested posting a link on your sites page of 
http://www.hallandalebeachfl.gov/quicklinks.aspx 
or any page on your site that you deem relevant to my content? Thank you 
very much and please let me know if there is anything I can do to have my 
page be an addition on yours.

Paula Fiske 
PO Box 1531
Houston, TX 77219

To be removed from my mailing list please click here: eduoptout.com

Re: Help with dynamic backend selection

2014-05-12 Thread Rajat Chopra 




- Original Message -
 From: Willy Tarreau w...@1wt.eu
 To: Rajat Chopra rcho...@redhat.com
 Cc: haproxy haproxy@formilux.org
 Sent: Saturday, May 10, 2014 12:01:14 AM
 Subject: Re: Help with dynamic backend selection
 
 On Sat, May 10, 2014 at 07:58:25AM +0200, Willy Tarreau wrote:
   May I ask about the ETA on this?
  
  It's too early for me to know, I need to go down deep into the ebtrees
  first to
  see if longest match is compatible with strings storage-wise, then I need
  to
  study how patterns are built as trees to see how to do that as well.
  Possibly
  it's just one or two days of work once I understand everything.
 
 OK in the end it was extremely easy :-)
 Thierry has done an amazing job at making the pattern management very
 modular,
 because I just changed the index and lookup to try in a tree first with a
 different algorithm and that works fine! So we don't care about the
 compatibility between regular string match and beginning.
 
 So that's pushed into git now if you want to give it a try.


Thanks a lot Willy. It works as intended. I am trying to spin a real large case 
and check the performance. Will report.

Thanks again.
Rajat