Re: ECDSA and HAProxy help

[Bryan Talbot]

> On 12 Oct 2016 8:45 am, "Igor Cicimov"  > wrote:
> >
> > On 11 Oct 2016 7:05 pm, "Thierry Fournier"  > > wrote:
> > > I'm currently trying to investigate about a little leak of memory in
> > > the certificates loading, and I try to test ECDSA certificates and
> > > cipher.
> > >
> > > I can't done this :( I don't understand anything in the ECDSA
> > > certificate process.
> > >
> > > My test certificate is generated from a little chain where the root CA
> > > is autosigned. So the root CA and the 2 intermediate are RSA
> > > certificates. The ECDSA certificate is build with these commands:
> > >
> > >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> > >   $CN.ecdsa.key
> 
> 


I ran into this as well and it turns out that s_client and s_server do not seem 
to play nicely with curves when using -param_enc explicit and instead prefer to 
only deal with named curves.

Encode the key params using named curve that both sides can accept and your 
test should work.

Also, see 
https://groups.google.com/forum/#!topic/mailing.openssl.users/Rg6yV4ccWeo 


-Bryan

Re: ECDSA and HAProxy help

[Igor Cicimov]

On 12 Oct 2016 8:45 am, "Igor Cicimov" 
wrote:
>
> On 11 Oct 2016 7:05 pm, "Thierry Fournier" 
wrote:
> >
> > Hi list,
> >
> > I'm currently trying to investigate about a little leak of memory in
> > the certificates loading, and I try to test ECDSA certificates and
> > cipher.
> >
> > I can't done this :( I don't understand anything in the ECDSA
> > certificate process.
> >
> > So, after many fails with HAProxy, I tried to validate the concept only
> > with openssl. I used openssl 1.0.2j.
> >
> > First I test classic RSA ciphers (I suppose that OpenSSL build its own
> > certificates ?):
> >
> >openssl s_server -accept 1 -cipher RSA
> >openssl s_client -connect 127.0.0.1:1 -cipher RSA
> >
> > That's run ! I tried with ECDSA. I ts exactily the same command but
> > with ECDSA ciphers.
> >
> >openssl s_server -accept 1 -cipher ECDSA
> >openssl s_client -connect 127.0.0.1:1 -cipher ECDSA
> >
>
> Try with more specific cipher like
>
> -cipher ECDHE-ECDSA-AES128-GCM-SHA256
>
> > That's no work. I read these error: "ssl3_get_client_hello:no shared
> > cipher". I don't understand because the server and the client are the
> > same binary, and I suppose that the cipher are obviously the same.
> >
> > I have exactly the same behaviour with haproxy (I wrote a temporary
> > path for having the detail of the handshake errors). If I load only a
> > ECDSA certificate, and I enable only the ECDSA ciphers.
> >
> > I run a tcpdump network capture, and I se that the client announce
> > the right list of ECDSA ciphers. In other way, the protocol used is TLS
> > 1.2.
> >
> >... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
> >... and others ...
> >
> > My test certificate is generated from a little chain where the root CA
> > is autosigned. So the root CA and the 2 intermediate are RSA
> > certificates. The ECDSA certificate is build with these commands:
> >
> >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> >   $CN.ecdsa.key

Also try with different EC like:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1)
-keyout cert_ecdsa.key -out cert_ecdsa.crt -days 7200 -subj 'subject'

I remember I had issues with secp higher than 384r1 when was testing ecdsa
with tomcat9. See
https://icicimov.github.io/blog/server/Tomcat9-ECDSA-Certificates-and-HTTP2/,
maybe you can find something useful. Was using curl as client for testing
though.

> >openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
> >   "$SUBJECT"
> >
> >openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
> >   inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
> >   -sha256
> >
> > Any ideas ?
> >
> > PS: I can't neither test the DSA, but in this case, the openssl
> > s_client fail before trying to connect :) This is another story.
> >
> > Thierry
> >
> >
> > --
> > Thierry Fournier
> > m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
> > w: http://www.ozon.io/| b: http://blog.ozon.io/
> >

Re: ECDSA and HAProxy help

[Igor Cicimov]

On 11 Oct 2016 7:05 pm, "Thierry Fournier"  wrote:
>
> Hi list,
>
> I'm currently trying to investigate about a little leak of memory in
> the certificates loading, and I try to test ECDSA certificates and
> cipher.
>
> I can't done this :( I don't understand anything in the ECDSA
> certificate process.
>
> So, after many fails with HAProxy, I tried to validate the concept only
> with openssl. I used openssl 1.0.2j.
>
> First I test classic RSA ciphers (I suppose that OpenSSL build its own
> certificates ?):
>
>openssl s_server -accept 1 -cipher RSA
>openssl s_client -connect 127.0.0.1:1 -cipher RSA
>
> That's run ! I tried with ECDSA. I ts exactily the same command but
> with ECDSA ciphers.
>
>openssl s_server -accept 1 -cipher ECDSA
>openssl s_client -connect 127.0.0.1:1 -cipher ECDSA
>

Try with more specific cipher like

-cipher ECDHE-ECDSA-AES128-GCM-SHA256

> That's no work. I read these error: "ssl3_get_client_hello:no shared
> cipher". I don't understand because the server and the client are the
> same binary, and I suppose that the cipher are obviously the same.
>
> I have exactly the same behaviour with haproxy (I wrote a temporary
> path for having the detail of the handshake errors). If I load only a
> ECDSA certificate, and I enable only the ECDSA ciphers.
>
> I run a tcpdump network capture, and I se that the client announce
> the right list of ECDSA ciphers. In other way, the protocol used is TLS
> 1.2.
>
>... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
>... and others ...
>
> My test certificate is generated from a little chain where the root CA
> is autosigned. So the root CA and the 2 intermediate are RSA
> certificates. The ECDSA certificate is build with these commands:
>
>openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
>   $CN.ecdsa.key
>
>openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
>   "$SUBJECT"
>
>openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
>   inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
>   -sha256
>
> Any ideas ?
>
> PS: I can't neither test the DSA, but in this case, the openssl
> s_client fail before trying to connect :) This is another story.
>
> Thierry
>
>
> --
> Thierry Fournier
> m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
> w: http://www.ozon.io/| b: http://blog.ozon.io/
>

Cetrtificates dynamic update

[Thierry Fournier]

Hi list,

I have for projet to write a dynamic update of the SSL certificates. I
encountered some cases where haproxy deals with many websites, and it
should ne great if we can replace / add certificate without restarting
HAProxy.

I'm looking for some opinions or advices.

I need to:

 - list the currently loaded certificates ID (embedding ECDSA).

 - add or replace certificates embedding the 3 certificates version
   RSA/DSA/ECDSA and the sni filter.

 - Delete SNI entries (and the certificates if it is the last one)

For the listing of the certificate, I need to scan the content of  the
OpenSSL SSL_CTX and extract the certificates ID. It seems impossible,
Openssl not seems to give method fo doing this. So I proposed to
memorize the certificates ID when each certificate is added in a
SSL_CTX.

For the list:

   show ssl [proxy/listener]

This command lst all certificates by SNI for a listener. If the
proxy/listener is not precised, the command list availables proxy, and
listeners.


For the replacement or update, I propose some CLI commands like this:

   set ssl certificate begin proxy/listener [sni filters]

This commande creates a new SSL context will be filled with the
following commands. If a previous context exists it is destroyed. This
is incompatible with concurrent access to the cli.

   set ssl certificate (any|rsa|ecdsa|dsa)
   
   EOF

The difficulty is to mark the end of the certificate, so I propose to
mark en end with the string "\nEOF\n".

   set ssl certificate commit

This command validates, install new certificates and remove old
certificates.


And finaly this command destroy existing certificate:

   del ssl certificate proxy/listener id

Any ideas or comments ?

Thanks
Thierry

-- 
Thierry Fournier
m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/| b: http://blog.ozon.io/

ECDSA and HAProxy help

[Thierry Fournier]

Hi list,

I'm currently trying to investigate about a little leak of memory in
the certificates loading, and I try to test ECDSA certificates and
cipher.

I can't done this :( I don't understand anything in the ECDSA
certificate process.

So, after many fails with HAProxy, I tried to validate the concept only
with openssl. I used openssl 1.0.2j.

First I test classic RSA ciphers (I suppose that OpenSSL build its own
certificates ?):

   openssl s_server -accept 1 -cipher RSA
   openssl s_client -connect 127.0.0.1:1 -cipher RSA

That's run ! I tried with ECDSA. I ts exactily the same command but
with ECDSA ciphers.

   openssl s_server -accept 1 -cipher ECDSA
   openssl s_client -connect 127.0.0.1:1 -cipher ECDSA

That's no work. I read these error: "ssl3_get_client_hello:no shared
cipher". I don't understand because the server and the client are the
same binary, and I suppose that the cipher are obviously the same.

I have exactly the same behaviour with haproxy (I wrote a temporary
path for having the detail of the handshake errors). If I load only a
ECDSA certificate, and I enable only the ECDSA ciphers.

I run a tcpdump network capture, and I se that the client announce
the right list of ECDSA ciphers. In other way, the protocol used is TLS
1.2.

   ... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
   ... and others ...

My test certificate is generated from a little chain where the root CA
is autosigned. So the root CA and the 2 intermediate are RSA
certificates. The ECDSA certificate is build with these commands:

   openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
  $CN.ecdsa.key

   openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
  "$SUBJECT" 

   openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
  inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
  -sha256

Any ideas ?

PS: I can't neither test the DSA, but in this case, the openssl
s_client fail before trying to connect :) This is another story.

Thierry


-- 
Thierry Fournier
m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/| b: http://blog.ozon.io/

Re: status=-1 in log file

[Jonathan Dulize]

Ok, thank for your reply.


Jonathan DULIZE
Solution Engineer
E-Mail : jdul...@premaccess.com
Mobile : +41 78 720 38 76

Siège social
Premaccess SA
Route des Arsenaux 41 - CP 132
CH-1705 Fribourg, Suisse

http://www.premaccess.com

2016-09-27 14:21 GMT+02:00 Dave Blakey :

> If the request was abarted before a complete response could be received,
> so a timeout was hit, something like that.
>
> On Tue, Sep 27, 2016 at 2:18 PM, Jonathan Dulize 
> wrote:
>
>> Hi everybody,
>>
>> In my logs files of happroxy access sometimes i have this status code for
>> the http return code : status=-1
>>
>>
>> What does it mean?
>>
>> An idea? How can i do?
>>
>> Thanks.
>>
>> Jonathan DULIZE
>> Solution Engineer
>> E-Mail : jdul...@premaccess.com
>> Mobile : +41 78 720 38 76
>>
>> Siège social
>> Premaccess SA
>> Route des Arsenaux 41 - CP 132
>> CH-1705 Fribourg, Suisse
>>
>> http://www.premaccess.com
>>
>
>

[PATCH 1/2] MINOR: Add src_status sample fetch

[Nenad Merdanovic]

This sample fetch returns a concatenation of the client's IP address
and the HTTP status code returned, separated by a single comma character.

Signed-off-by: Nenad Merdanovic 
---
 doc/configuration.txt |  6 ++
 src/proto_http.c  | 39 +++
 2 files changed, 45 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b5e67fe..b8c8295 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14180,6 +14180,12 @@ set-cookie([]) : string (deprecated)
   This fetch function is deprecated and has been superseded by the "res.cook"
   fetch. This keyword will disappear soon.
 
+src_status : string
+  Returns a string containing the concatenation of the client's IP address and
+  the HTTP status code returned, separated by a single comma character. It is
+  mostly used to track the number of HTTP response codes returned per IP 
address
+  and acting based on that number.
+
 status : integer
   Returns an integer containing the HTTP status code in the HTTP response, for
   example, 302. It is mostly used within ACLs and integer ranges, for example,
diff --git a/src/proto_http.c b/src/proto_http.c
index 50e3d48..13c75ac 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -10146,6 +10146,44 @@ smp_fetch_stcode(const struct arg *args, struct sample 
*smp, const char *kw, voi
 }
 
 static int
+smp_fetch_src_status(const struct arg *args, struct sample *smp, const char 
*kw, void *private)
+{
+   struct chunk *temp;
+   struct connection *cli_conn = objt_conn(smp->sess->origin);
+   struct http_txn *txn;
+   char *ptr;
+   int statlen, len;
+
+   if (!cli_conn)
+   return 0;
+
+   CHECK_HTTP_MESSAGE_FIRST();
+
+   txn = smp->strm->txn;
+   if (txn->rsp.msg_state < HTTP_MSG_BODY)
+   return 0;
+
+   statlen = txn->rsp.sl.st.c_l;
+   ptr = txn->rsp.chn->buf->p + txn->rsp.sl.st.c;
+
+   temp = get_trash_chunk();
+
+   if (addr_to_str((struct sockaddr_storage *)_conn->addr.from, 
temp->str, temp->size) <= 0)
+   return 0;
+
+   len = strlen(temp->str);
+   temp->str[len++] = ',';
+   memcpy(temp->str + len, ptr, statlen);
+   len += statlen;
+   temp->str[len++] = '\0';
+
+   smp->data.u.str = *temp;
+   smp->data.u.str.len = len;
+   smp->data.type = SMP_T_STR;
+   return 1;
+}
+
+static int
 smp_fetch_uniqueid(const struct arg *args, struct sample *smp, const char *kw, 
void *private)
 {
if (LIST_ISEMPTY(>sess->fe->format_unique_id))
@@ -12894,6 +12932,7 @@ static struct sample_fetch_kw_list 
sample_fetch_keywords = {ILH, {
{ "shdr_ip", smp_fetch_hdr_ip, ARG2(0,STR,SINT), 
val_hdr, SMP_T_IPV4, SMP_USE_HRSHV },
{ "shdr_val",smp_fetch_hdr_val,ARG2(0,STR,SINT), 
val_hdr, SMP_T_SINT, SMP_USE_HRSHV },
 
+   { "src_status",  smp_fetch_src_status, 0,NULL,  
  SMP_T_STR,  SMP_USE_HRSHP },
{ "status",  smp_fetch_stcode, 0,NULL,  
  SMP_T_SINT, SMP_USE_HRSHP },
{ "unique-id",   smp_fetch_uniqueid,   0,NULL,  
  SMP_T_STR,  SMP_SRC_L4SRV },
{ "url", smp_fetch_url,0,NULL,  
  SMP_T_STR,  SMP_USE_HRQHV },
-- 
2.8.1

[PATCH 2/2] CLEANUP: Rename smp_fetch_stcode to smp_fetch_status

[Nenad Merdanovic]

We want the function names in the code to match the fetch names
in the configuration.

Signed-off-by: Nenad Merdanovic 
---
 src/proto_http.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/proto_http.c b/src/proto_http.c
index 13c75ac..c11a1af 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -10124,7 +10124,7 @@ smp_fetch_stver(const struct arg *args, struct sample 
*smp, const char *kw, void
 
 /* 3. Check on Status Code. We manipulate integers here. */
 static int
-smp_fetch_stcode(const struct arg *args, struct sample *smp, const char *kw, 
void *private)
+smp_fetch_status(const struct arg *args, struct sample *smp, const char *kw, 
void *private)
 {
struct http_txn *txn;
char *ptr;
@@ -12933,7 +12933,7 @@ static struct sample_fetch_kw_list 
sample_fetch_keywords = {ILH, {
{ "shdr_val",smp_fetch_hdr_val,ARG2(0,STR,SINT), 
val_hdr, SMP_T_SINT, SMP_USE_HRSHV },
 
{ "src_status",  smp_fetch_src_status, 0,NULL,  
  SMP_T_STR,  SMP_USE_HRSHP },
-   { "status",  smp_fetch_stcode, 0,NULL,  
  SMP_T_SINT, SMP_USE_HRSHP },
+   { "status",  smp_fetch_status, 0,NULL,  
  SMP_T_SINT, SMP_USE_HRSHP },
{ "unique-id",   smp_fetch_uniqueid,   0,NULL,  
  SMP_T_STR,  SMP_SRC_L4SRV },
{ "url", smp_fetch_url,0,NULL,  
  SMP_T_STR,  SMP_USE_HRQHV },
{ "url32",   smp_fetch_url32,  0,NULL,  
  SMP_T_SINT, SMP_USE_HRQHV },
-- 
2.8.1