Re: SSL Termination or Passthrough

2017-02-18 Thread Sam Crowell 
After looking at the config more on that page, I see this is termination
with http traffic on the backend (which is what Willie said). So to keep it
TLS the whole way to the back end I have to use TCP pass through.

Thanks again this has been informative.

Sam



On February 18, 2017 at 6:51:10 AM, Sam Crowell (crowes...@gmail.com) wrote:

> Thanks, this is what I was looking for. I could just call a reload of the
> LB with the PID whenever the CRL was updated by the cron.
>
> Is there a requirement to bind on 443 for this method or can I make it
> anything?
>
> Adding the header info with the details from the client will require a
> backend server side change to now check the headers for this information or
> is it the default location and should appear like hitting the server
> directly? I am going to test just to verify the results.
>
> Thanks again for the help.
>
> Sam
>
> On February 18, 2017 at 2:33:41 AM, Daniel Schneller (
> daniel.schnel...@centerdevice.com) wrote:
>
>> Damn. I shouldn't respond to questions after midnight :-(. I completely
>> overread this is about client certificates until now. Sorry for missing
>> that, Sam; and thanks Willy for the interesting link.
>>
>> One question comes up for me though, after reading it (unless I am still
>> not awake enough, in which case I apologize upfront). The article contains
>> instructions about a cron job to periodically fetch a CRL and put it in the
>> place where haproxy expects it. But doesn't haproxy load the file just once
>> on startup? Would replacing it like that even be noticed?
>>
>> Daniel
>>
>> On 18 Feb 2017, at 07:28, Willy Tarreau  wrote:
>>
>> On Fri, Feb 17, 2017 at 07:20:14PM -0500, Sam Crowell wrote:
>> Thanks for the response Daniel. What is the best way to handle SSL traffic
>> through a load balancer to maintain original client certificates? Just use
>> mode TCP and passthrough? Is there a way to do that without turning off
>> hostname verifier at the client level?
>>
>>
>> If you want to transfer client certificates to the server, you have to
>> pass them in HTTP headers or using the proxy protocol for non-HTTP
>> services. This means that you'll rely on haproxy to validate these
>> client certs using the CA and possibly CRL though.
>>
>> There's a good example here :
>>
>> https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html
>>
>> Hoping this helps,
>> Willy
>>
>>

Re: SSL Termination or Passthrough

2017-02-18 Thread Sam Crowell 
Thanks, this is what I was looking for. I could just call a reload of the
LB with the PID whenever the CRL was updated by the cron.

Is there a requirement to bind on 443 for this method or can I make it
anything?

Adding the header info with the details from the client will require a
backend server side change to now check the headers for this information or
is it the default location and should appear like hitting the server
directly? I am going to test just to verify the results.

Thanks again for the help.

Sam

On February 18, 2017 at 2:33:41 AM, Daniel Schneller (
daniel.schnel...@centerdevice.com) wrote:

> Damn. I shouldn't respond to questions after midnight :-(. I completely
> overread this is about client certificates until now. Sorry for missing
> that, Sam; and thanks Willy for the interesting link.
>
> One question comes up for me though, after reading it (unless I am still
> not awake enough, in which case I apologize upfront). The article contains
> instructions about a cron job to periodically fetch a CRL and put it in the
> place where haproxy expects it. But doesn't haproxy load the file just once
> on startup? Would replacing it like that even be noticed?
>
> Daniel
>
> On 18 Feb 2017, at 07:28, Willy Tarreau  wrote:
>
> On Fri, Feb 17, 2017 at 07:20:14PM -0500, Sam Crowell wrote:
> Thanks for the response Daniel. What is the best way to handle SSL traffic
> through a load balancer to maintain original client certificates? Just use
> mode TCP and passthrough? Is there a way to do that without turning off
> hostname verifier at the client level?
>
>
> If you want to transfer client certificates to the server, you have to
> pass them in HTTP headers or using the proxy protocol for non-HTTP
> services. This means that you'll rely on haproxy to validate these
> client certs using the CA and possibly CRL though.
>
> There's a good example here :
>
> https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html
>
> Hoping this helps,
> Willy
>
>

Re: SSL Termination or Passthrough

2017-02-17 Thread Daniel Schneller 
Damn. I shouldn't respond to questions after midnight :-(. I completely 
overread this is about client certificates until now. Sorry for missing that, 
Sam; and thanks Willy for the interesting link. 

One question comes up for me though, after reading it (unless I am still not 
awake enough, in which case I apologize upfront). The article contains 
instructions about a cron job to periodically fetch a CRL and put it in the 
place where haproxy expects it. But doesn't haproxy load the file just once on 
startup? Would replacing it like that even be noticed?

Daniel

> On 18 Feb 2017, at 07:28, Willy Tarreau  wrote:
> 
>> On Fri, Feb 17, 2017 at 07:20:14PM -0500, Sam Crowell wrote:
>> Thanks for the response Daniel.  What is the best way to handle SSL traffic
>> through a load balancer to maintain original client certificates?  Just use
>> mode TCP and passthrough?  Is there a way to do that without turning off
>> hostname verifier at the client level?
> 
> If you want to transfer client certificates to the server, you have to
> pass them in HTTP headers or using the proxy protocol for non-HTTP
> services. This means that you'll rely on haproxy to validate these
> client certs using the CA and possibly CRL though.
> 
> There's a good example here :
> 
>   https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html
> 
> Hoping this helps,
> Willy

Re: SSL Termination or Passthrough

2017-02-17 Thread Willy Tarreau 
On Fri, Feb 17, 2017 at 07:20:14PM -0500, Sam Crowell wrote:
> Thanks for the response Daniel.  What is the best way to handle SSL traffic
> through a load balancer to maintain original client certificates?  Just use
> mode TCP and passthrough?  Is there a way to do that without turning off
> hostname verifier at the client level?

If you want to transfer client certificates to the server, you have to
pass them in HTTP headers or using the proxy protocol for non-HTTP
services. This means that you'll rely on haproxy to validate these
client certs using the CA and possibly CRL though.

There's a good example here :

   https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html

Hoping this helps,
Willy

Re: SSL Termination or Passthrough

2017-02-17 Thread Sam Crowell 
Thanks a lot of the help.

Sam

On February 17, 2017 at 7:55:05 PM, Daniel Schneller (
daniel.schnel...@centerdevice.com) wrote:

You should be able to configure haproxy in TCP mode and have it appear
transparent, without the clients complaining. You won't be able to do
anything on the http level, of course, but passing encrypted streams back
and forth is a completely valid use case. Just keep anything TLS out of the
haproxy config for these front ends and backends. :-)

On 18 Feb 2017, at 01:27, Sam Crowell <crowes...@gmail.com> wrote:

I guess it’s probably the same answer, it’s working as intended and even
with passthrough the load balancer certificate does not match the backend
server so it still throws the warning which makes sense.

On February 17, 2017 at 7:20:14 PM, Sam Crowell (crowes...@gmail.com) wrote:

Thanks for the response Daniel.  What is the best way to handle SSL traffic
through a load balancer to maintain original client certificates?  Just use
mode TCP and passthrough?  Is there a way to do that without turning off
hostname verifier at the client level?

Thanks,
Sam

On February 17, 2017 at 7:13:23 PM, Daniel Schneller (
daniel.schnel...@centerdevice.com) wrote:

Sam,

This not working the way you would like is the corner stone and one of the
key features of TLS. It is designed to ensure there is nothing in the
middle between the client and the server. If you need to inspect the
traffic, by definition you cannot without the clients trusting your
certificate (or its issuing authority as a whole).
To be precise, you can't pose as the real server, because for that you
would not need the public certificate of the server (which you can easily
get), but its private key. By definition, you won't be able to get a hold
of it, as the real server alone has it.

All inspecting TLS proxies communicate with their own private
key/certificate pair with the client. There is no way around that.

Regards,
Daniel


> On 18 Feb 2017, at 00:47, Sam Crowell <crowes...@gmail.com> wrote:
>
> Is there a way to do SSL termination at the load balancer, but then send
the original certificate to the backend server? I have seen plenty of notes
and configs for SSL passthrough and SSL termination with re-encryption by
the load balancer certificate.
>
> Even with passthrough, I still have to disable hostname verifier because
the backend server doesn't match the load balancer certificate.
>
> I know there has to be a way to do this, I just can't find it in the
documentation or on the internet.
>
> Thanks for the help and keep up the great work.
>
> Thanks,
> Paul
>

Re: SSL Termination or Passthrough

2017-02-17 Thread Daniel Schneller 
You should be able to configure haproxy in TCP mode and have it appear 
transparent, without the clients complaining. You won't be able to do anything 
on the http level, of course, but passing encrypted streams back and forth is a 
completely valid use case. Just keep anything TLS out of the haproxy config for 
these front ends and backends. :-)

> On 18 Feb 2017, at 01:27, Sam Crowell <crowes...@gmail.com> wrote:
> 
> I guess it’s probably the same answer, it’s working as intended and even with 
> passthrough the load balancer certificate does not match the backend server 
> so it still throws the warning which makes sense.
>> On February 17, 2017 at 7:20:14 PM, Sam Crowell (crowes...@gmail.com) wrote:
>> 
>> Thanks for the response Daniel.  What is the best way to handle SSL traffic 
>> through a load balancer to maintain original client certificates?  Just use 
>> mode TCP and passthrough?  Is there a way to do that without turning off 
>> hostname verifier at the client level?
>> 
>> Thanks,
>> Sam
>> 
>>> On February 17, 2017 at 7:13:23 PM, Daniel Schneller 
>>> (daniel.schnel...@centerdevice.com) wrote:
>>> 
>>> Sam,
>>> 
>>> This not working the way you would like is the corner stone and one of the 
>>> key features of TLS. It is designed to ensure there is nothing in the 
>>> middle between the client and the server. If you need to inspect the 
>>> traffic, by definition you cannot without the clients trusting your 
>>> certificate (or its issuing authority as a whole).
>>> To be precise, you can't pose as the real server, because for that you 
>>> would not need the public certificate of the server (which you can easily 
>>> get), but its private key. By definition, you won't be able to get a hold 
>>> of it, as the real server alone has it.
>>> 
>>> All inspecting TLS proxies communicate with their own private 
>>> key/certificate pair with the client. There is no way around that.
>>> 
>>> Regards,
>>> Daniel
>>> 
>>> 
>>> > On 18 Feb 2017, at 00:47, Sam Crowell <crowes...@gmail.com> wrote:
>>> >
>>> > Is there a way to do SSL termination at the load balancer, but then send 
>>> > the original certificate to the backend server? I have seen plenty of 
>>> > notes and configs for SSL passthrough and SSL termination with 
>>> > re-encryption by the load balancer certificate.
>>> >
>>> > Even with passthrough, I still have to disable hostname verifier because 
>>> > the backend server doesn't match the load balancer certificate.
>>> >
>>> > I know there has to be a way to do this, I just can't find it in the 
>>> > documentation or on the internet.
>>> >
>>> > Thanks for the help and keep up the great work.
>>> >
>>> > Thanks,
>>> > Paul
>>> >

Re: SSL Termination or Passthrough

2017-02-17 Thread Sam Crowell 
I guess it’s probably the same answer, it’s working as intended and even
with passthrough the load balancer certificate does not match the backend
server so it still throws the warning which makes sense.

On February 17, 2017 at 7:20:14 PM, Sam Crowell (crowes...@gmail.com) wrote:

Thanks for the response Daniel.  What is the best way to handle SSL traffic
through a load balancer to maintain original client certificates?  Just use
mode TCP and passthrough?  Is there a way to do that without turning off
hostname verifier at the client level?

Thanks,
Sam

On February 17, 2017 at 7:13:23 PM, Daniel Schneller (
daniel.schnel...@centerdevice.com) wrote:

Sam,

This not working the way you would like is the corner stone and one of the
key features of TLS. It is designed to ensure there is nothing in the
middle between the client and the server. If you need to inspect the
traffic, by definition you cannot without the clients trusting your
certificate (or its issuing authority as a whole).
To be precise, you can't pose as the real server, because for that you
would not need the public certificate of the server (which you can easily
get), but its private key. By definition, you won't be able to get a hold
of it, as the real server alone has it.

All inspecting TLS proxies communicate with their own private
key/certificate pair with the client. There is no way around that.

Regards,
Daniel


> On 18 Feb 2017, at 00:47, Sam Crowell <crowes...@gmail.com> wrote:
>
> Is there a way to do SSL termination at the load balancer, but then send
the original certificate to the backend server? I have seen plenty of notes
and configs for SSL passthrough and SSL termination with re-encryption by
the load balancer certificate.
>
> Even with passthrough, I still have to disable hostname verifier because
the backend server doesn't match the load balancer certificate.
>
> I know there has to be a way to do this, I just can't find it in the
documentation or on the internet.
>
> Thanks for the help and keep up the great work.
>
> Thanks,
> Paul
>

Re: SSL Termination or Passthrough

2017-02-17 Thread Sam Crowell 
Thanks for the response Daniel.  What is the best way to handle SSL traffic
through a load balancer to maintain original client certificates?  Just use
mode TCP and passthrough?  Is there a way to do that without turning off
hostname verifier at the client level?

Thanks,
Sam

On February 17, 2017 at 7:13:23 PM, Daniel Schneller (
daniel.schnel...@centerdevice.com) wrote:

Sam,

This not working the way you would like is the corner stone and one of the
key features of TLS. It is designed to ensure there is nothing in the
middle between the client and the server. If you need to inspect the
traffic, by definition you cannot without the clients trusting your
certificate (or its issuing authority as a whole).
To be precise, you can't pose as the real server, because for that you
would not need the public certificate of the server (which you can easily
get), but its private key. By definition, you won't be able to get a hold
of it, as the real server alone has it.

All inspecting TLS proxies communicate with their own private
key/certificate pair with the client. There is no way around that.

Regards,
Daniel


> On 18 Feb 2017, at 00:47, Sam Crowell <crowes...@gmail.com> wrote:
>
> Is there a way to do SSL termination at the load balancer, but then send
the original certificate to the backend server? I have seen plenty of notes
and configs for SSL passthrough and SSL termination with re-encryption by
the load balancer certificate.
>
> Even with passthrough, I still have to disable hostname verifier because
the backend server doesn't match the load balancer certificate.
>
> I know there has to be a way to do this, I just can't find it in the
documentation or on the internet.
>
> Thanks for the help and keep up the great work.
>
> Thanks,
> Paul
>

Re: SSL Termination or Passthrough

2017-02-17 Thread Daniel Schneller 
Sam,

This not working the way you would like is the corner stone and one of the key 
features of TLS. It is designed to ensure there is nothing in the middle 
between the client and the server. If you need to inspect the traffic, by 
definition you cannot without the clients trusting your certificate (or its 
issuing authority as a whole). 
To be precise, you can't pose as the real server, because for that you would 
not need the public certificate of the server (which you can easily get), but 
its private key. By definition, you won't be able to get a hold of it, as the 
real server alone has it. 

All inspecting TLS proxies communicate with their own private key/certificate 
pair with the client. There is no way around that. 

Regards,
Daniel


> On 18 Feb 2017, at 00:47, Sam Crowell <crowes...@gmail.com> wrote:
> 
> Is there a way to do SSL termination at the load balancer, but then send the 
> original certificate to the backend server?  I have seen plenty of notes and 
> configs for SSL passthrough and SSL termination with re-encryption by the 
> load balancer certificate.
> 
> Even with passthrough, I still have to disable hostname verifier because the 
> backend server doesn't match the load balancer certificate.
> 
> I know there has to be a way to do this, I just can't find it in the 
> documentation or on the internet.
> 
> Thanks for the help and keep up the great work.
> 
> Thanks,
> Paul
>

SSL Termination or Passthrough

2017-02-17 Thread Sam Crowell 
Is there a way to do SSL termination at the load balancer, but then send
the original certificate to the backend server?  I have seen plenty of
notes and configs for SSL passthrough and SSL termination with
re-encryption by the load balancer certificate.

Even with passthrough, I still have to disable hostname verifier because
the backend server doesn't match the load balancer certificate.

I know there has to be a way to do this, I just can't find it in the
documentation or on the internet.

Thanks for the help and keep up the great work.

Thanks,
Paul